Description
Mozilla Firefox 43.x mishandles attempts to connect to the Application Reputation service, which makes it easier for remote attackers to trigger an unintended download by leveraging the absence of reputation data.
References (9)
Core 9
Core References
Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2016/mfsa2016-11.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1034825
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/81949
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2880-1
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2880-2
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1237103
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00002.html
Third Party Advisory, VDB Entry vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201605-06
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00001.html
Scores
CVSS v3
4.7
EPSS
0.0060
EPSS Percentile
69.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Details
CWE
CWE-19
Status
published
Products (12)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
15.04
canonical/ubuntu_linux
15.10
mozilla/firefox
43.0
mozilla/firefox
43.0.1
mozilla/firefox
43.0.2
mozilla/firefox
43.0.3
mozilla/firefox
43.0.4
opensuse/leap
42.1
... and 2 more
Published
Jan 31, 2016
Tracked Since
Feb 18, 2026