CVE-2016-9075

Published: 17 November 2016

An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission. This vulnerability affects Firefox < 50.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	Upstream	Released (50.0)





	Ubuntu 16.04 ESM (Xenial Xerus)	Released (50.0+build2-0ubuntu0.16.04.2)
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [50.0+build2-0ubuntu0.14.04.2])
thunderbird Launchpad, Ubuntu, Debian	Upstream	Not vulnerable





	Ubuntu 16.04 ESM (Xenial Xerus)	Not vulnerable
	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was not-affected)

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2016-9075

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading