cbcvebase.
CVE-2017-7764
published 2018-06-11

CVE-2017-7764: Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as…

PriorityP425medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
EPSS
2.00%
78.4th percentile
Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianfirefox< firefox 54.0-1 (sid)firefox 54.0-1 (sid)
debianfirefox-esr< firefox 54.0-1 (sid)firefox 54.0-1 (sid)
mozillafirefox< 52.2.052.2.0
mozillafirefox< 54.054.0
mozillafirefox>= 0 < 54.0+build3-0ubuntu0.14.04.154.0+build3-0ubuntu0.14.04.1
mozillafirefox>= 0 < 54.0+build3-0ubuntu0.16.04.154.0+build3-0ubuntu0.16.04.1
mozillafirefox>= unspecified < 5454
mozillafirefox_esr>= unspecified < 52.252.2
mozillathunderbird< 52.2.052.2.0
mozillathunderbird>= 0 < 1:52.2.1+build1-0ubuntu0.14.04.11:52.2.1+build1-0ubuntu0.14.04.1
mozillathunderbird>= 0 < 1:52.2.1+build1-0ubuntu0.16.04.11:52.2.1+build1-0ubuntu0.16.04.1
mozillathunderbird>= unspecified < 52.252.2

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.