CVE-2016-5282

medium

Description

Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource.

References

http://www.mozilla.org/security/announce/2016/mfsa2016-85.html

http://www.securityfocus.com/bid/93052

http://www.securitytracker.com/id/1036852

https://bugzilla.mozilla.org/show_bug.cgi?id=932335

https://security.gentoo.org/glsa/201701-15

Details

Source: MITRE

Published: 2016-09-22

Updated: 2017-07-30

Type: CWE-200

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM