PT-2016-2532 · Mozilla+3 · Firefox+3

Firace

Published

2016-08-02

Updated

2024-12-12

CVE-2016-5251

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 48.0

Description The issue exists due to insufficient input validation in the browser, allowing a remote attacker to spoof the location bar by using special characters in the media type of a data: URL. This can be achieved through crafted characters in the data:URL type.

Recommendations For versions prior to 48.0, update to version 48.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of data:URL types until a patch is applied. Avoid using special characters in the media type of a data:URL to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2016-1836

ALT-PU-2017-1578

BDU:2016-01923

CVE-2016-5251

OPENSUSE-SU-2016_1964-1

OPENSUSE-SU-2016_2026-1

OPENSUSE-SU-2024:10071-1

OPENSUSE-SU-2024:14572-1

USN-3044-1

Affected Products

Alt Linux

Firefox

Suse

Ubuntu

PT-2016-2532 · Mozilla+3 · Firefox+3

CVE-2016-5251

Weakness Enumeration

Related Identifiers

Affected Products

References · 2095