CVE-2016-1949
Gentoo Linux Security Advisory 201605-06
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.
Mozilla Firefox en versiones anteriores a 44.0.2 no restringe correctamente la interacción entre Service Workers y plugins, lo que permite a atacantes remotos eludir la Same Origin Policy a través de un sitio web manipulado que desencadena respuestas suplantadas a las peticiones que utilizan NPAPI, según lo demostrado por una petición a un archivo crossdomain.xml.
Multiple vulnerabilities have been found in Firefox, Thunderbird, Network Security Services (NSS), and NetScape Portable Runtime (NSPR) with the worst of which may allow remote execution of arbitrary code. Versions less than 4.12 are affected.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-01-20 CVE Reserved
- 2016-02-12 CVE Published
- 2023-09-30 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://www.securitytracker.com/id/1035007 | Vdb Entry | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1245724 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2016-02/msg00102.html | 2016-12-06 | |
| http://lists.opensuse.org/opensuse-updates/2016-02/msg00142.html | 2016-12-06 | |
| http://www.mozilla.org/security/announce/2016/mfsa2016-13.html | 2016-12-06 | |
| http://www.ubuntu.com/usn/USN-2893-1 | 2016-12-06 | |
| https://security.gentoo.org/glsa/201605-06 | 2016-12-06 |