CVE-2016-2816 : Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via

Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type.

Published 2016-04-30 17:59:14

Updated 2017-07-01 01:29:41

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Exploit prediction scoring system (EPSS) score for CVE-2016-2816

Probability of exploitation activity in the next 30 days: 0.62%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-2816

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2016-2816

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2816

https://security.gentoo.org/glsa/201701-15

Mozilla Firefox, Thunderbird: Multiple vulnerabilities (GLSA 201701-15) — Gentoo security

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2936-3

USN-2936-3: Firefox regression | Ubuntu security notices

CVEs referencing this url
http://www.securitytracker.com/id/1035692

Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information - SecurityTracker

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2936-2

USN-2936-2: Oxygen-GTK3 update | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html

openSUSE-SU-2016:1251-1: moderate: Security update to Firefox 46.0

CVEs referencing this url
http://www.mozilla.org/security/announce/2016/mfsa2016-45.html

CSP not applied to pages sent with multipart/x-mixed-replace — Mozilla
Vendor Advisory
http://www.ubuntu.com/usn/USN-2936-1

USN-2936-1: Firefox vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1223743

Bugzilla.mozilla.org is offline
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html

[security-announce] openSUSE-SU-2016:1211-1: important: Security update

CVEs referencing this url

Products affected by CVE-2016-2816

Mozilla » Firefox
Versions up to, including, (<=) 45.0.2
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-2816

Exploit prediction scoring system (EPSS) score for CVE-2016-2816

CVSS scores for CVE-2016-2816

CWE ids for CVE-2016-2816

References for CVE-2016-2816

Products affected by CVE-2016-2816