Nicolas Golubovic

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 45.0 Firefox ESR versions prior to 38.7 **Description** The issue is related to the nsCSPContext::SendReports function, which does not prevent the use of a non-HTTP report-uri for a Content Security Policy (CSP) violation report. This allows remote attackers to cause a denial of service (data overwrite) or possibly gain privileges by specifying a URL of a local file. **Recommendations** For Mozilla Firefox versions prior to 45.0, update to version 45.0 or later. For Firefox ESR versions prior to 38.7, update to version 38.7 or later.