Vulnerability Details : CVE-2017-5450
A mechanism to spoof the Firefox for Android addressbar using a "javascript:" URI. On Firefox for Android, the base domain is parsed incorrectly, making the resulting location less visibly a spoofed site and showing an incorrect domain in appended notifications. This vulnerability affects Firefox < 53.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2017-5450
Probability of exploitation activity in the next 30 days: 0.16%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 53 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-5450
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-5450
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-5450
-
http://www.securitytracker.com/id/1038320
Mozilla Firefox Multiple Bugs Let Remote Users Bypass Security Restrictions, Spoof URLs, Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1325955
1325955 - (CVE-2017-5450) Address bar spoofing on AndroidExploit;Issue Tracking
-
https://www.mozilla.org/security/advisories/mfsa2017-10/
Security vulnerabilities fixed in Firefox 53 — MozillaVendor Advisory
-
http://www.securityfocus.com/bid/97940
Mozilla Firefox Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
Products affected by CVE-2017-5450
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*