CVE-2016-2833

Published: 8 June 2016

Mozilla Firefox before 47.0 ignores Content Security Policy (CSP) directives for cross-domain Java applets, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted applet.

Priority

Cvss 3 Severity Score

6.1

Score breakdown

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	upstream	Released (47.0)
	precise	Released (47.0+build3-0ubuntu0.12.04.1)
	wily	Released (47.0+build3-0ubuntu0.15.10.1)
	xenial	Released (47.0+build3-0ubuntu0.16.04.1)
	trusty	Released (47.0+build3-0ubuntu0.14.04.1)
thunderbird Launchpad, Ubuntu, Debian	upstream	Not vulnerable
	precise	Not vulnerable
	trusty	Does not exist (trusty was not-affected)
	wily	Not vulnerable
	xenial	Not vulnerable

Severity score breakdown

Parameter	Value
Base score	6.1
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Changed
Confidentiality	Low
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›