Vulnerability Details

Mozilla Firefox Security Advisory (MFSA2016-85) - Linux

Published: 2021-11-08 15:21:25
CVE Author: NIST National Vulnerability Database

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

severity_vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

severity_origin=NVD

severity_date=2017-07-29 23:29:00 +0000 (Sat, 29 Jul 2017)

Summary:
This host is missing a security update for Mozilla Firefox.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
CVE-2016-2827: Out-of-bounds read in mozilla::net::IsValidReferrerPolicy A content security policy (CSP) containing a referrer directive with no values can cause a non-exploitable crash. CVE-2016-5270: Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString An out-of-bounds write of a boolean value during text conversion with some unicode characters CVE-2016-5271: Out-of-bounds read in PropertyProvider::GetSpacingInternal An out-of-bounds read during the processing of text runs in some pages using display:contents. CVE-2016-5272: Bad cast in nsImageGeometryMixin A bad cast when processing layout with input elements can result in a potentially exploitable crash. CVE-2016-5273: crash in mozilla::a11y::HyperTextAccessible::GetChildOffset A potentially exploitable crash in accessibility. CVE-2016-5276: Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList A use-after-free vulnerability triggered by setting a aria-owns attribute. CVE-2016-5274: use-after-free in nsFrameManager::CaptureFrameState A use-after-free issue in web animations during restyling. CVE-2016-5277: Heap-use-after-free in nsRefreshDriver::Tick A use-after-free vulnerability with web animations when destroying a timeline. CVE-2016-5275: Buffer overflow in mozilla::gfx::FilterSupport::ComputeSourceNeededRegions A buffer overflow when working with empty filters during canvas rendering. CVE-2016-5278: Heap-buffer-overflow in nsBMPEncoder::AddImageFrame A potentially exploitable crash caused by a buffer overflow while encoding image frames to images. CVE-2016-5279: Full local path of files is available to web pages after drag and drop The full path to local files is available to scripts when local files are drag and dropped into Firefox. CVE-2016-5280: Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap Use-after-free vulnerability when changing text direction. CVE-2016-5281: use-after-free in DOMSVGLength Use-after-free vulnerability when manipulating SVG format content through script. CVE-2016-5282: Don't allow content to request favicons from non-whitelisted schemes Favicons can be loaded through non-whitelisted protocols, such as jar:. CVE-2016-5283: Iframe src fragment timing attack can reveal cross-origin data A timing attack vulnerability using iframes to potentially reveal private data using document resizes and link colors. CVE-2016-5284: Add-on update site certificate pin expiration Due to flaws in the process we used to update 'Preloaded Public Key Pinning' in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. CVE-2016-5256: Memory safety bugs fixed in Firefox 49 Mozilla ... [Please see the references for more information on the vulnerabilities]

Affected Versions:
Firefox version(s) below 49.

Recommendations:
The vendor has released an update. Please see the reference(s) for more information.

Solution Type:
Vendor Patch

Detection Type:
Executable Unreliable

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2016-2827
https://nvd.nist.gov/vuln/detail/CVE-2016-5256
https://nvd.nist.gov/vuln/detail/CVE-2016-5257
https://nvd.nist.gov/vuln/detail/CVE-2016-5270
https://nvd.nist.gov/vuln/detail/CVE-2016-5271
https://nvd.nist.gov/vuln/detail/CVE-2016-5272
https://nvd.nist.gov/vuln/detail/CVE-2016-5273
https://nvd.nist.gov/vuln/detail/CVE-2016-5274
https://nvd.nist.gov/vuln/detail/CVE-2016-5275
https://nvd.nist.gov/vuln/detail/CVE-2016-5276
https://nvd.nist.gov/vuln/detail/CVE-2016-5277
https://nvd.nist.gov/vuln/detail/CVE-2016-5278
https://nvd.nist.gov/vuln/detail/CVE-2016-5279
https://nvd.nist.gov/vuln/detail/CVE-2016-5280
https://nvd.nist.gov/vuln/detail/CVE-2016-5281
https://nvd.nist.gov/vuln/detail/CVE-2016-5282
https://nvd.nist.gov/vuln/detail/CVE-2016-5283
https://nvd.nist.gov/vuln/detail/CVE-2016-5284

References:


https://www.mozilla.org/en-US/security/advisories/mfsa2016-85/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1288588%2C1287204%2C1294407%2C1293347%2C1288780%2C1288555%2C1289280%2C1294095%2C1277213
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1290244%2C1282746%2C1268034%2C1296078%2C1297099%2C1276413%2C1296087
https://bugzilla.mozilla.org/show_bug.cgi?id=1249522
https://bugzilla.mozilla.org/show_bug.cgi?id=1280387
https://bugzilla.mozilla.org/show_bug.cgi?id=1282076
https://bugzilla.mozilla.org/show_bug.cgi?id=1284690
https://bugzilla.mozilla.org/show_bug.cgi?id=1287316
https://bugzilla.mozilla.org/show_bug.cgi?id=1287721
https://bugzilla.mozilla.org/show_bug.cgi?id=1288946
https://bugzilla.mozilla.org/show_bug.cgi?id=1289085
https://bugzilla.mozilla.org/show_bug.cgi?id=1289970
https://bugzilla.mozilla.org/show_bug.cgi?id=1291016
https://bugzilla.mozilla.org/show_bug.cgi?id=1291665
https://bugzilla.mozilla.org/show_bug.cgi?id=1294677
https://bugzilla.mozilla.org/show_bug.cgi?id=129793
https://bugzilla.mozilla.org/show_bug.cgi?id=1303127
https://bugzilla.mozilla.org/show_bug.cgi?id=928187
https://bugzilla.mozilla.org/show_bug.cgi?id=932335

Severity
High
CVSS Score
7.5
Published
2021-11-08
Modified
2021-11-15
Category
General

Free Vulnerability Scanning, Assessment and Management

Mageni's Platform is packed with all the features you need to scan, assess and manage vulnerabilities like this - it is free, open source, lightning fast, reliable and scalable.

Router
Servers
Laptop
Database
Group
Cloud

Frequently Asked Questions

No, you can scan concurrently as many assets as you want. Please note that you must be aware of the hardware requeriments of the platform to ensure a good performance.

No, you can add as many assest as you want. It doesn't matters if you have millions of assets, we won't charge you for that.

No. The software is completely free. We have no intention to charge you to use the software, in fact - it completely goes against our beliefs and business model.

A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005)

We generate revenue by providing support and other services for customers that require a subscription so they get guaranteed support and enterprise services. To use Mageni's Platform is completely free, with no limits at all.

Yes. Mageni understands that there are professionals and businesses that need commercial support so Mageni provides an active support subscription with everything needed to run Mageni's Platform reliably and securely. More than software, it's access to security experts, knowledge resources, security updates, and support tools you can't get anywhere else. The subscription includes:

  • Ongoing delivery
    • Patches
    • Bug fixes
    • Updates
    • Upgrades
  • Technical support
    • 24/7 availability
    • Unlimited Incidents
    • Specialty-based routing
    • Multi-Channel
  • Commitments
    • Software certifications
    • Software assurance
    • SLA

No, we don't store the information of your vulnerabilities in our servers.

Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization. The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc. Source: "Implementing a Vulnerability Management Process". SANS Institute.

I am ready to start scanning for vulnerabilities