Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2016-AVI-412
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été corrigées dans Mozilla Firefox. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Mozilla Firefox versions ant\u00e9rieures \u00e0 50.1",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
},
{
"description": "Mozilla Firefox ESR versions ant\u00e9rieures \u00e0 45.6",
"product": {
"name": "Firefox",
"vendor": {
"name": "Mozilla",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-9902",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9902"
},
{
"name": "CVE-2016-9897",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9897"
},
{
"name": "CVE-2016-9080",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9080"
},
{
"name": "CVE-2016-9904",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9904"
},
{
"name": "CVE-2016-9899",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9899"
},
{
"name": "CVE-2016-9905",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9905"
},
{
"name": "CVE-2016-9894",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9894"
},
{
"name": "CVE-2016-9900",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9900"
},
{
"name": "CVE-2016-9903",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9903"
},
{
"name": "CVE-2016-9893",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9893"
},
{
"name": "CVE-2016-9895",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9895"
},
{
"name": "CVE-2016-9898",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9898"
},
{
"name": "CVE-2016-9896",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9896"
},
{
"name": "CVE-2016-9901",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9901"
}
],
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2016-95 du 13 d\u00e9cembre 2016",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2016-94 du 13 d\u00e9cembre 2016",
"url": "https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/"
}
],
"reference": "CERTFR-2016-AVI-412",
"revisions": [
{
"description": "version initiale.",
"revision_date": "2016-12-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eMozilla Firefox\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, un d\u00e9ni de service \u00e0 distance et un contournement de la\npolitique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Mozilla Firefox",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2016-95 du 13 d\u00e9cembre 2016",
"url": null
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Mozilla mfsa2016-94 du 13 d\u00e9cembre 2016",
"url": null
}
]
}
CVE-2016-9902 (GCVE-0-2016-9902)
Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-06 03:07
VLAI
EPSS
Summary
The Pocket toolbar button, once activated, listens for events fired from it's own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR < 45.6 and Firefox < 50.1.
Severity
No CVSS data available.
CWE
- Pocket extension does not validate the origin of events
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1320039 | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/94885 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1037461 | vdb-entryx_refsource_SECTRACK |
| https://security.gentoo.org/glsa/201701-15 | vendor-advisoryx_refsource_GENTOO |
| http://rhn.redhat.com/errata/RHSA-2016-2973.html | vendor-advisoryx_refsource_REDHAT |
| http://rhn.redhat.com/errata/RHSA-2016-2946.html | vendor-advisoryx_refsource_REDHAT |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Mozilla | Firefox ESR |
Affected:
unspecified , < 45.6
(custom)
|
|
| Mozilla | Firefox |
Affected:
unspecified , < 50.1
(custom)
|
Date Public
2016-12-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:31.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1320039"
},
{
"name": "94885",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94885"
},
{
"name": "1037461",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037461"
},
{
"name": "GLSA-201701-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "RHSA-2016:2973",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2973.html"
},
{
"name": "RHSA-2016:2946",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "45.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "50.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-12-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Pocket toolbar button, once activated, listens for events fired from it\u0027s own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR \u003c 45.6 and Firefox \u003c 50.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Pocket extension does not validate the origin of events",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-12T09:57:01.000Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1320039"
},
{
"name": "94885",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94885"
},
{
"name": "1037461",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037461"
},
{
"name": "GLSA-201701-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "RHSA-2016:2973",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2973.html"
},
{
"name": "RHSA-2016:2946",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2016-9902",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "45.6"
}
]
}
},
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "50.1"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Pocket toolbar button, once activated, listens for events fired from it\u0027s own pages but does not verify the origin of incoming events. This allows content from other origins to fire events and inject content and commands into the Pocket context. Note: this issue does not affect users with e10s enabled. This vulnerability affects Firefox ESR \u003c 45.6 and Firefox \u003c 50.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Pocket extension does not validate the origin of events"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-94/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-95/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1320039",
"refsource": "CONFIRM",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1320039"
},
{
"name": "94885",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94885"
},
{
"name": "1037461",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037461"
},
{
"name": "GLSA-201701-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "RHSA-2016:2973",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2973.html"
},
{
"name": "RHSA-2016:2946",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2016-9902",
"datePublished": "2018-06-11T21:00:00.000Z",
"dateReserved": "2016-12-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:07:31.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9903 (GCVE-0-2016-9903)
Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-06 03:07
VLAI
EPSS
Summary
Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context. This vulnerability affects Firefox < 50.1.
Severity
No CVSS data available.
CWE
- XSS injection vulnerability in add-ons SDK
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/94883 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1037461 | vdb-entryx_refsource_SECTRACK |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1315435 | x_refsource_CONFIRM |
Impacted products
Date Public
2016-12-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:31.355Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"name": "94883",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94883"
},
{
"name": "1037461",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037461"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1315435"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "50.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-12-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Mozilla\u0027s add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on\u0027s context. This vulnerability affects Firefox \u003c 50.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS injection vulnerability in add-ons SDK",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-12T09:57:01.000Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"name": "94883",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94883"
},
{
"name": "1037461",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037461"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1315435"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2016-9903",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "50.1"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Mozilla\u0027s add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on\u0027s context. This vulnerability affects Firefox \u003c 50.1."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS injection vulnerability in add-ons SDK"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-94/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"name": "94883",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94883"
},
{
"name": "1037461",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037461"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1315435",
"refsource": "CONFIRM",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1315435"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2016-9903",
"datePublished": "2018-06-11T21:00:00.000Z",
"dateReserved": "2016-12-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:07:31.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9904 (GCVE-0-2016-9904)
Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-06 03:07
VLAI
EPSS
Summary
An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6.
Severity
No CVSS data available.
CWE
- Cross-origin information leak in shared atoms
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1317936 | x_refsource_CONFIRM |
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/94885 | vdb-entryx_refsource_BID |
| http://www.securitytracker.com/id/1037461 | vdb-entryx_refsource_SECTRACK |
| https://security.gentoo.org/glsa/201701-15 | vendor-advisoryx_refsource_GENTOO |
| https://www.debian.org/security/2017/dsa-3757 | vendor-advisoryx_refsource_DEBIAN |
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| http://rhn.redhat.com/errata/RHSA-2016-2946.html | vendor-advisoryx_refsource_REDHAT |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Mozilla | Firefox |
Affected:
unspecified , < 50.1
(custom)
|
|
| Mozilla | Firefox ESR |
Affected:
unspecified , < 45.6
(custom)
|
|
| Mozilla | Thunderbird |
Affected:
unspecified , < 45.6
(custom)
|
Date Public
2016-12-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:31.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1317936"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"name": "94885",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94885"
},
{
"name": "1037461",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037461"
},
{
"name": "GLSA-201701-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "DSA-3757",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-3757"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-96/"
},
{
"name": "RHSA-2016:2946",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Firefox",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "50.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "45.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "45.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-12-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects Firefox \u003c 50.1, Firefox ESR \u003c 45.6, and Thunderbird \u003c 45.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-origin information leak in shared atoms",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-12T09:57:01.000Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1317936"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"name": "94885",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94885"
},
{
"name": "1037461",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037461"
},
{
"name": "GLSA-201701-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "DSA-3757",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-3757"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-96/"
},
{
"name": "RHSA-2016:2946",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2016-9904",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "50.1"
}
]
}
},
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "45.6"
}
]
}
},
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "45.6"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites. This vulnerability affects Firefox \u003c 50.1, Firefox ESR \u003c 45.6, and Thunderbird \u003c 45.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-origin information leak in shared atoms"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-94/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-94/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1317936",
"refsource": "CONFIRM",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1317936"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-95/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"name": "94885",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94885"
},
{
"name": "1037461",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037461"
},
{
"name": "GLSA-201701-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "DSA-3757",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-3757"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-96/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-96/"
},
{
"name": "RHSA-2016:2946",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2016-9904",
"datePublished": "2018-06-11T21:00:00.000Z",
"dateReserved": "2016-12-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:07:31.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9905 (GCVE-0-2016-9905)
Vulnerability from cvelistv5 – Published: 2018-06-11 21:00 – Updated: 2024-08-06 03:07
VLAI
EPSS
Summary
A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6.
Severity
No CVSS data available.
CWE
- Crash in EnumerateSubDocuments
Assigner
References
9 references
| URL | Tags |
|---|---|
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/94884 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201701-15 | vendor-advisoryx_refsource_GENTOO |
| https://www.debian.org/security/2017/dsa-3757 | vendor-advisoryx_refsource_DEBIAN |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1293985 | x_refsource_CONFIRM |
| http://rhn.redhat.com/errata/RHSA-2016-2973.html | vendor-advisoryx_refsource_REDHAT |
| http://www.securitytracker.com/id/1037462 | vdb-entryx_refsource_SECTRACK |
| https://www.mozilla.org/security/advisories/mfsa2… | x_refsource_CONFIRM |
| http://rhn.redhat.com/errata/RHSA-2016-2946.html | vendor-advisoryx_refsource_REDHAT |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Mozilla | Firefox ESR |
Affected:
unspecified , < 45.6
(custom)
|
|
| Mozilla | Thunderbird |
Affected:
unspecified , < 45.6
(custom)
|
Date Public
2016-12-13 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:07:31.496Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"name": "94884",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94884"
},
{
"name": "GLSA-201701-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "DSA-3757",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2017/dsa-3757"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293985"
},
{
"name": "RHSA-2016:2973",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2973.html"
},
{
"name": "1037462",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037462"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-96/"
},
{
"name": "RHSA-2016:2946",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Firefox ESR",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "45.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Thunderbird",
"vendor": "Mozilla",
"versions": [
{
"lessThan": "45.6",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-12-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A potentially exploitable crash in \"EnumerateSubDocuments\" while adding or removing sub-documents. This vulnerability affects Firefox ESR \u003c 45.6 and Thunderbird \u003c 45.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Crash in EnumerateSubDocuments",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-12T09:57:01.000Z",
"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"shortName": "mozilla"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"name": "94884",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94884"
},
{
"name": "GLSA-201701-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "DSA-3757",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2017/dsa-3757"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293985"
},
{
"name": "RHSA-2016:2973",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2973.html"
},
{
"name": "1037462",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1037462"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2016-96/"
},
{
"name": "RHSA-2016:2946",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2016-9905",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "45.6"
}
]
}
},
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "45.6"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A potentially exploitable crash in \"EnumerateSubDocuments\" while adding or removing sub-documents. This vulnerability affects Firefox ESR \u003c 45.6 and Thunderbird \u003c 45.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Crash in EnumerateSubDocuments"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-95/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-95/"
},
{
"name": "94884",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94884"
},
{
"name": "GLSA-201701-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201701-15"
},
{
"name": "DSA-3757",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2017/dsa-3757"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293985",
"refsource": "CONFIRM",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1293985"
},
{
"name": "RHSA-2016:2973",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2973.html"
},
{
"name": "1037462",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1037462"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2016-96/",
"refsource": "CONFIRM",
"url": "https://www.mozilla.org/security/advisories/mfsa2016-96/"
},
{
"name": "RHSA-2016:2946",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-2946.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
"assignerShortName": "mozilla",
"cveId": "CVE-2016-9905",
"datePublished": "2018-06-11T21:00:00.000Z",
"dateReserved": "2016-12-07T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:07:31.496Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…