PT-2017-3379 · Mozilla+5 · Firefox Esr+7

Jun Kokatsu

·

Publicado

2017-09-02

·

Atualizado

2024-12-12

·

CVE-2017-7823

CVSS v2.0

8.3

Alta

VetorAV:N/AC:M/Au:N/C:P/I:P/A:C
Name of the Vulnerable Software and Affected Versions Firefox versions prior to 56 Firefox ESR versions prior to 52.4 Thunderbird versions prior to 52.4
Description The content security policy (CSP) "sandbox" directive did not create a unique origin for the document, causing it to behave as if the "allow-same-origin" keyword were always specified. This could allow a Cross-Site Scripting (XSS) attack to be launched from unsafe content. The vulnerability is related to the implementation of the Content Security Policy (CSP) mechanism in Mozilla browsers, which failed to protect the structure of web pages using the sandbox directive, potentially allowing a remote attacker to perform cross-site scripting attacks.
Recommendations For Firefox versions prior to 56, update to version 56 or later. For Firefox ESR versions prior to 52.4, update to version 52.4 or later. For Thunderbird versions prior to 52.4, update to version 52.4 or later.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

ALT-PU-2017-2358
ALT-PU-2017-2390
ALT-PU-2017-2437
ALT-PU-2018-1854
BDU:2018-00161
CESA-2017_2831
CESA-2017_2885
CVE-2017-7823
DLA-1118-1
DLA-1153-1
DSA-3987-1
DSA-4014-1
MGASA-2017-0361
MGASA-2018-0018
OPENSUSE-SU-2017:2707-1
OPENSUSE-SU-2017:2710-1
OPENSUSE-SU-2017_2615-1
OPENSUSE-SU-2017_2710-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
RHSA-2017:2831
RHSA-2017:2885
RHSA-2017_2831
RHSA-2017_2885
SUSE-SU-2017:2688-1
SUSE-SU-2017:2872-1
SUSE-SU-2017:2872-2
USN-3435-1
USN-3435-2
USN-3436-1

Produtos afetados

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Suse
Thunderbird
Ubuntu