cbcvebase.
CVE-2017-7823
published 2018-06-11

CVE-2017-7823: The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin"…

medium5.4CVSS 3.0
AVNACLPRNUIRSUCLILAN
The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianfirefox< firefox 56.0-1 (sid)firefox 56.0-1 (sid)
debianfirefox-esr< firefox 56.0-1 (sid)firefox 56.0-1 (sid)
debianthunderbird< firefox 56.0-1 (sid)firefox 56.0-1 (sid)
mozillafirefox< 52.4.052.4.0
mozillafirefox< 56.056.0
mozillafirefox>= 0 < 56.0+build6-0ubuntu0.14.04.156.0+build6-0ubuntu0.14.04.1
mozillafirefox>= 0 < 56.0+build6-0ubuntu0.14.04.256.0+build6-0ubuntu0.14.04.2
mozillafirefox>= 0 < 56.0+build6-0ubuntu0.16.04.156.0+build6-0ubuntu0.16.04.1
mozillafirefox>= 0 < 56.0+build6-0ubuntu0.16.04.256.0+build6-0ubuntu0.16.04.2
mozillafirefox>= unspecified < 5656
mozillafirefox_esr>= unspecified < 52.452.4
mozillathunderbird< 52.4.052.4.0
mozillathunderbird>= 0 < 1:52.4.0-11:52.4.0-1
mozillathunderbird>= 0 < 1:52.4.0-11:52.4.0-1
mozillathunderbird>= 0 < 1:52.4.0-11:52.4.0-1
mozillathunderbird>= 0 < 1:52.4.0-11:52.4.0-1
mozillathunderbird>= 0 < 1:52.4.0+build1-0ubuntu0.14.04.21:52.4.0+build1-0ubuntu0.14.04.2
mozillathunderbird>= 0 < 1:52.4.0+build1-0ubuntu0.16.04.21:52.4.0+build1-0ubuntu0.16.04.2
mozillathunderbird>= unspecified < 52.452.4
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_server

CVSS provenance

nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
osv9.8CRITICAL