PT-2017-16476 · Mozilla+3 · Firefox+3

Kris Maglione

Published

2017-01-24

Updated

2024-12-12

CVE-2017-5389

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 51

Description The issue allows a malicious extension to install additional extensions without explicit user permission by modifying the CSP headers on sites with the appropriate permissions and using host requests to redirect script loads to a malicious site. This is achieved through the use of the "mozAddonManager" API.

Recommendations For versions prior to 51, update to a version that includes the fix for this issue to prevent malicious extensions from installing additional extensions without user permission.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

ALT-PU-2017-1138

ALT-PU-2017-1578

CVE-2017-5389

MGASA-2017-0323

OPENSUSE-SU-2017_0358-1

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

USN-3175-1

USN-3175-2

Affected Products

Alt Linux

Firefox

Suse

Ubuntu

PT-2017-16476 · Mozilla+3 · Firefox+3

CVE-2017-5389

Weakness Enumeration

Related Identifiers

Affected Products

References · 1906