CVE-2017-7762 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation CWE-290 — Authentication Bypass by Spoofing8 documents7 sources

Severity

7.5HIGHNVD

OSV9.8

EPSS

0.5%

top 32.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox Redhat Enterprise Linux Desktop +2 more

Timeline

PublishedJun 11

Latest updateMay 14

Description

When entered directly, Reader Mode did not strip the username and password section of URLs displayed in the addressbar. This can be used for spoofing the domain of the current page. This vulnerability affects Firefox < 54.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/firefox< firefox 54.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 54

▶NVDmozilla/firefox< 54.0

▶Ubuntumozilla/firefox< 54.0+build3-0ubuntu0.14.04.1+1

▶NVDredhat/enterprise_linux_server6.0, 7.0+1

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-7g8j-7wv5-6f7h: When entered directly, Reader Mode did not strip the username and password section of URLs displayed in the addressbar↗2022-05-14

▶

OSV

firefox vulnerabilities↗2017-06-15

▶

OSV

CVE-2017-7762: When entered directly, Reader Mode did not strip the username and password section of URLs displayed in the addressbar↗2017-06-14

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2017-06-15

▶

Red Hat

Mozilla: address bar username and password spoofing in reader mode↗2017-04-20

▶

Debian

CVE-2017-7762: firefox - When entered directly, Reader Mode did not strip the username and password secti...↗2017

▶

💬Community

Bugzilla

CVE-2017-7762 Mozilla: address bar username and password spoofing in reader mode↗2018-06-12

▶