CVE-2016-5262

MEDIUM

Firefox < 48.0 and Firefox ESR 45.x < 45.3 - Cross-Site Scripting via MARQUEE Element Event Handlers

Title source: llm
STIX 2.1

Description

Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site.

References (11)

Core 11
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3640
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3044-1
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/92258
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1551.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201701-15
Issue Tracking, Permissions Required x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1277475
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036508

Scores

CVSS v3 6.1
EPSS 0.0029
EPSS Percentile 52.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (8)
mozilla/firefox 45.1.0
mozilla/firefox 45.1.1
mozilla/firefox 45.2.0
mozilla/firefox 45.3.0
mozilla/firefox < 47.0.1
oracle/linux 5.0
oracle/linux 6
oracle/linux 7
Published Aug 05, 2016
Tracked Since Feb 18, 2026