PT-2017-3391 · Mozilla+5 · Firefox Esr+7

Jose María Acuña

·

Publicado

2017-05-18

·

Atualizado

2024-12-12

·

CVE-2017-7791

CVSS v2.0

8.8

Alta

VetorAV:N/AC:M/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 52.3 Firefox ESR versions prior to 52.3 Firefox versions prior to 55
Description The issue is related to the implementation of the "data:" protocol in Mozilla Firefox, Firefox ESR, and the Thunderbird email client. It is associated with errors in the protocol's functioning on pages containing iframe elements. Exploitation of this issue may allow a remote attacker to compromise the integrity of protected information. On pages with an iframe, the "data:" protocol can be used to create a modal alert that renders over arbitrary domains after page navigation, allowing the spoofing of the origin of the modal alert from the iframe content.
Recommendations For Thunderbird versions prior to 52.3, update to version 52.3 or later. For Firefox ESR versions prior to 52.3, update to version 52.3 or later. For Firefox versions prior to 55, update to version 55 or later.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

ALT-PU-2017-2019
ALT-PU-2017-2060
ALT-PU-2017-2093
ALT-PU-2018-1854
BDU:2018-00174
CESA-2017_2456
CESA-2017_2534
CVE-2017-7791
DLA-1053-1
DLA-1087-1
DSA-3928-1
DSA-3928-2
DSA-3968-1
MGASA-2017-0268
MGASA-2017-0303
MGASA-2018-0018
OPENSUSE-SU-2017:2209-1
OPENSUSE-SU-2017_2151-1
OPENSUSE-SU-2017_2209-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
RHSA-2017:2456
RHSA-2017:2534
RHSA-2017_2456
RHSA-2017_2534
SUSE-SU-2017:2302-1
SUSE-SU-2017:2589-1
USN-3391-1
USN-3391-2
USN-3391-3
USN-3416-1

Produtos afetados

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Suse
Thunderbird
Ubuntu