CVE-2017-7816
published 2018-06-11CVE-2017-7816: WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This…
PriorityP424medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
EPSS
1.28%
66.4th percentile
WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 56.0-1 (sid) | firefox 56.0-1 (sid) |
| mozilla | firefox | <= 55.0.3 | — |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.14.04.1 | 56.0+build6-0ubuntu0.14.04.1 |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.14.04.2 | 56.0+build6-0ubuntu0.14.04.2 |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.16.04.1 | 56.0+build6-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu0.16.04.2 | 56.0+build6-0ubuntu0.16.04.2 |
| mozilla | firefox | >= 0 < 56.0+build6-0ubuntu1 | 56.0+build6-0ubuntu1 |
| mozilla | firefox | >= unspecified < 56 | 56 |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_redhat6.5MEDIUM
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q9h8-ghr2-6995: WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavio
ghsa_unreviewed·2022-05-13
CVE-2017-7816 [MEDIUM] CWE-20 GHSA-q9h8-ghr2-6995: WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavio
WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56.
OSV
firefox regression
osv·2017-10-04·CVSS 9.8
[CRITICAL] firefox regression
firefox regression
USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash
plugin to crash in some circumstances. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CV
OSV
CVE-2017-7816: WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavio
osv·2017-10-02·CVSS 5.3
CVE-2017-7816 [MEDIUM] CVE-2017-7816: WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavio
WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56.
OSV
firefox vulnerabilities
osv·2017-10-02·CVSS 9.8
CVE-2017-7793 [CRITICAL] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824)
Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could potentially exploit this to cause a denial of
service via app
Ubuntu
Firefox regression
vendor_ubuntu·2017-10-04·CVSS 9.8
[CRITICAL] Firefox regression
Title: Firefox regression
Summary: USN-3435-1 caused a regression in Firefox.
USN-3435-1 fixed vulnerabilities in Firefox. The update caused the Flash
plugin to crash in some circumstances. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CV
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2017-10-02·CVSS 9.8
CVE-2017-7793 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, obtain sensitive
information, bypass phishing and malware protection, spoof the origin in
modal dialogs, conduct cross-site scripting (XSS) attacks, cause a denial
of service via application crash, or execute arbitrary code.
(CVE-2017-7793, CVE-2017-7810, CVE-2017-7811, CVE-2017-7812,
CVE-2017-7813, CVE-2017-7814, CVE-2017-7815, CVE-2017-7818, CVE-2017-7819,
CVE-2017-7820, CVE-2017-7822, CVE-2017-7823, CVE-2017-7824)
Martin Thomson discovered that NSS incorrectly g
Red Hat
Qemu: libcacard: host memory leakage while creating new APDU
vendor_redhat·2017-02-21·CVSS 6.5
CVE-2017-6414 [MEDIUM] CWE-772 Qemu: libcacard: host memory leakage while creating new APDU
Qemu: libcacard: host memory leakage while creating new APDU
Memory leak in the vcard_apdu_new function in card_7816.c in libcacard before 2.5.3 allows local guest OS users to cause a denial of service (host memory consumption) via vectors related to allocating a new APDU object.
Package: kvm (Red Hat Enterprise Linux 5) - Not affected
Package: xen (Red Hat Enterprise Linux 5) - Not affected
Package: qemu-kvm (Red Hat Enterprise Linux 6) - Not affected
Package: qemu-kvm (Red Hat Enterprise Linux 7) - Will not fix
Package: qemu-kvm-rhev (Red Hat Enterprise Linux 7) - Will not fix
Package: qemu-kvm-rhev (Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)) - Will not fix
Debian
CVE-2017-7816: firefox - WebExtensions could use popups and panels in the extension UI to load an "about:...
vendor_debian·2017·CVSS 5.3
CVE-2017-7816 [MEDIUM] CVE-2017-7816: firefox - WebExtensions could use popups and panels in the extension UI to load an "about:...
WebExtensions could use popups and panels in the extension UI to load an "about:" privileged URL, violating security checks that disallow this behavior. This vulnerability affects Firefox < 56.
Scope: local
sid: resolved (fixed in 56.0-1)
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/101057http://www.securitytracker.com/id/1039465https://bugzilla.mozilla.org/show_bug.cgi?id=1380597https://www.mozilla.org/security/advisories/mfsa2017-21/http://www.securityfocus.com/bid/101057http://www.securitytracker.com/id/1039465https://bugzilla.mozilla.org/show_bug.cgi?id=1380597https://www.mozilla.org/security/advisories/mfsa2017-21/
2018-06-11
Published