CVE-2017-5466 — Cross-site Scripting in Mozilla Firefox
Severity
6.1MEDIUMNVD
OSV9.8
EPSS
0.6%
top 29.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 11
Latest updateMay 14
Description
If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages10 packages
Also affects: Enterprise Linux 6.0, 7.0, 7.3, 7.4, 7.5
Patches
🔴Vulnerability Details
6GHSA▶
GHSA-hx2v-35mh-6pxc: If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the relo↗2022-05-14
CVEList▶
CVE-2017-5466: If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the relo↗2018-06-11
📋Vendor Advisories
5Red Hat
▶
Debian▶
CVE-2017-5466: firefox - If a page is loaded from an original site through a hyperlink and contains a red...↗2017
💬Community
1Bugzilla▶
CVE-2017-5466 Mozilla: Origin confusion when reloading isolated data:text/html URL (MFSA 2017-12)↗2017-04-19