PT-2017-3391 · Mozilla+5 · Firefox Esr+7

Jose María Acuña

·

Published

2017-05-18

·

Updated

2024-12-12

·

CVE-2017-7791

CVSS v2.0

8.8

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 52.3 Firefox ESR versions prior to 52.3 Firefox versions prior to 55
Description The issue is related to the implementation of the "data:" protocol in Mozilla Firefox, Firefox ESR, and the Thunderbird email client. It is associated with errors in the protocol's functioning on pages containing iframe elements. Exploitation of this issue may allow a remote attacker to compromise the integrity of protected information. On pages with an iframe, the "data:" protocol can be used to create a modal alert that renders over arbitrary domains after page navigation, allowing the spoofing of the origin of the modal alert from the iframe content.
Recommendations For Thunderbird versions prior to 52.3, update to version 52.3 or later. For Firefox ESR versions prior to 52.3, update to version 52.3 or later. For Firefox versions prior to 55, update to version 55 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2017-2019
ALT-PU-2017-2060
ALT-PU-2017-2093
ALT-PU-2018-1854
BDU:2018-00174
CESA-2017_2456
CESA-2017_2534
CVE-2017-7791
DLA-1053-1
DLA-1087-1
DSA-3928-1
DSA-3928-2
DSA-3968-1
MGASA-2017-0268
MGASA-2017-0303
MGASA-2018-0018
OPENSUSE-SU-2017:2209-1
OPENSUSE-SU-2017_2151-1
OPENSUSE-SU-2017_2209-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
RHSA-2017:2456
RHSA-2017:2534
RHSA-2017_2456
RHSA-2017_2534
SUSE-SU-2017:2302-1
SUSE-SU-2017:2589-1
USN-3391-1
USN-3391-2
USN-3391-3
USN-3416-1

Affected Products

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Suse
Thunderbird
Ubuntu