CVE-2017-7839

MEDIUM

Description

Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerability affects Firefox < 57.

References

http://www.securityfocus.com/bid/101832

http://www.securitytracker.com/id/1039803

https://bugzilla.mozilla.org/show_bug.cgi?id=1402896

https://www.mozilla.org/security/advisories/mfsa2017-24/

Details

Source: MITRE

Published: 2018-06-11

Updated: 2018-06-25

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* versions up to 56.0.2 (inclusive)

Tenable Plugins

View all (10 total)

IDNameProductFamilySeverity
700322Mozilla Firefox < 57 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
critical
105542Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox regression (USN-3477-4)NessusUbuntu Local Security Checks
critical
104994Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox regressions (USN-3477-3)NessusUbuntu Local Security Checks
critical
104807Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox regression (USN-3477-2)NessusUbuntu Local Security Checks
critical
104652Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : firefox vulnerabilities (USN-3477-1)NessusUbuntu Local Security Checks
critical
104638Mozilla Firefox < 57 Multiple VulnerabilitiesNessusWindows
critical
104637Mozilla Firefox ESR < 52.5 Multiple VulnerabilitiesNessusWindows
critical
104636Mozilla Firefox < 57 Multiple Vulnerabilities (macOS)NessusMacOS X Local Security Checks
critical
104635Mozilla Firefox ESR < 52.5 Multiple Vulnerabilities (macOS)NessusMacOS X Local Security Checks
critical
104564FreeBSD : mozilla -- multiple vulnerabilities (f78eac48-c3d1-4666-8de5-63ceea25a578)NessusFreeBSD Local Security Checks
critical