CVE-2016-1965

MEDIUM

Mozilla Firefox <45.0 - Info Disclosure

Title source: llm
STIX 2.1

Description

Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 mishandle a navigation sequence that returns to the original page, which allows remote attackers to spoof the address bar via vectors involving the history.back method and the location.protocol property.

References (17)

Core 17
Core References
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00091.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1245264
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2917-1
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3510
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035215
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201605-06
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2917-2
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2917-3

Scores

CVSS v3 4.3
EPSS 0.0050
EPSS Percentile 66.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE
CWE-254
Status published
Products (18)
mozilla/firefox 38.0
mozilla/firefox 38.0.1
mozilla/firefox 38.0.5
mozilla/firefox 38.1.0
mozilla/firefox 38.1.1
mozilla/firefox 38.2.0
mozilla/firefox 38.2.1
mozilla/firefox 38.3.0
mozilla/firefox 38.4.0
mozilla/firefox 38.5.0
... and 8 more
Published Mar 13, 2016
Tracked Since Feb 18, 2026