8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.597 Medium
EPSS
Percentile
97.4%
Mozilla developers and community members reported several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.
Mozilla developers and community members reported several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.
Security researcher firehack reported a buffer overflow when parsing
HTML5 fragments in a foreign context such as under an <svg> node. This
results in a potentially exploitable crash when inserting an HTML
fragment into an existing document.
Security researcher firehack used the Address Sanitizer tool to
discover a use-after-free in contenteditable mode. This occurs when
deleting document object model (DOM) table elements created within the
editor and results in a potentially exploitable crash.
Security researcher Jordi Chancel reported a method to spoof the
contents of the addressbar. This uses a persistent menu within a
<select> element, which acts as a container for HTML content and can be
placed in an arbitrary location. When placed over the addressbar, this
can mask the true site URL, allowing for spoofing by a malicious site.
Security researcher Armin Razmdjou reported that the location.host
property can be set to an arbitrary string after creating an invalid
data: URI. This allows for a bypass of some same-origin policy
protections. This issue is mitigated by the data: URI in use and any
same-origin checks for http: or https: are still enforced correctly. As
a result cookie stealing and other common same-origin bypass attacks
are not possible.
Mozilla community member jomo reported a use-after-free crash when
processing WebGL content. This issue was caused by the use of a texture
after its recycle pool has been destroyed during WebGL operations,
which frees the memory associated with the texture. This results in a
potentially exploitable crash when the texture is later called.
Security researcher Tim McCormack reported that when a page requests a
series of permissions in a short timespan, the resulting permission
notifications can show the icon for the wrong permission request. This
can lead to user confusion and inadvertent consent given when a user is
prompted by web content to give permissions, such as for geolocation or
microphone access.
Security researcher sushi Anton Larsson reported that when paired
fullscreen and pointerlock requests are done in combination with
closing windows, a pointerlock can be created within a fullscreen
window without user permission. This pointerlock cannot then be
cancelled without terminating the browser, resulting in a persistent
denial of service attack. This can also be used for spoofing and
clickjacking attacks against the browser UI.
Mozilla developer John Schoenick reported that CSS pseudo-classes can
be used by web content to leak information on plugins that are
installed but disabled. This can be used for information disclosure
through a fingerprinting attack that lists all of the plugins installed
by a user on a system, even when they are disabled.
Mozilla engineer Matt Wobensmith reported that Content Security Policy
(CSP) does not block the loading of cross-domain Java applets when
specified by policy. This is because the Java applet is loaded by the
Java plugin, which then mediates all network requests without checking
against CSP. This could allow a malicious site to manipulate content
through a Java applet to bypass CSP protections, allowing for possible
cross-site scripting (XSS) attacks.
access.redhat.com/security/cve/CVE-2016-2815
access.redhat.com/security/cve/CVE-2016-2818
access.redhat.com/security/cve/CVE-2016-2819
access.redhat.com/security/cve/CVE-2016-2821
access.redhat.com/security/cve/CVE-2016-2822
access.redhat.com/security/cve/CVE-2016-2825
access.redhat.com/security/cve/CVE-2016-2828
access.redhat.com/security/cve/CVE-2016-2829
access.redhat.com/security/cve/CVE-2016-2831
access.redhat.com/security/cve/CVE-2016-2832
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2833
www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox47
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.597 Medium
EPSS
Percentile
97.4%