CVE-2016-2820 : The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Fi

The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences by leveraging access to the remote-report IFRAME element.

Published 2016-04-30 17:59:16

Updated 2025-04-12 10:46:41

Source Mozilla Corporation

View at NVD, CVE.org

Products affected by CVE-2016-2820

Mozilla » Firefox
Versions up to, including, (<=) 45.0.2
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2016-2820

EPSS FAQ

0.42%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-2820

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
4.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2016-2820

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-2820

https://security.gentoo.org/glsa/201701-15

Mozilla Firefox, Thunderbird: Multiple vulnerabilities (GLSA 201701-15) — Gentoo security

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2936-3

USN-2936-3: Firefox regression | Ubuntu security notices

CVEs referencing this url
http://www.securitytracker.com/id/1035692

Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information - SecurityTracker

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2936-2

USN-2936-2: Oxygen-GTK3 update | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html

openSUSE-SU-2016:1251-1: moderate: Security update to Firefox 46.0

CVEs referencing this url
http://www.mozilla.org/security/announce/2016/mfsa2016-48.html

Firefox Health Reports could accept events from untrusted domains — Mozilla
Vendor Advisory
http://www.ubuntu.com/usn/USN-2936-1

USN-2936-1: Firefox vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html

[security-announce] openSUSE-SU-2016:1211-1: important: Security update

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=870870

Bugzilla.mozilla.org is offline

Jump to

Vulnerability Details : CVE-2016-2820

Products affected by CVE-2016-2820

Exploit prediction scoring system (EPSS) score for CVE-2016-2820

CVSS scores for CVE-2016-2820

CWE ids for CVE-2016-2820

References for CVE-2016-2820