Your submission was sent successfully! Close

CVE-2017-5466

Published: 20 April 2017

If a page is loaded from an original site through a hyperlink and contains a redirect to a "data:text/html" URL, triggering a reload will run the reloaded "data:text/html" page with its origin set incorrectly. This allows for a cross-site scripting (XSS) attack. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
precise Does not exist
(precise was ignored)
trusty Does not exist
(trusty was released [53.0+build6-0ubuntu0.14.04.1])
upstream
Released (53.0)
xenial
Released (53.0+build6-0ubuntu0.16.04.1)
yakkety
Released (53.0+build6-0ubuntu0.16.10.1)
zesty
Released (53.0+build6-0ubuntu0.17.04.1)
thunderbird
Launchpad, Ubuntu, Debian
precise Does not exist
(precise was needs-triage)
trusty Does not exist
(trusty was released [1:52.1.1+build1-0ubuntu0.14.04.1])
upstream
Released (52.1.1)
xenial
Released (1:52.1.1+build1-0ubuntu0.16.04.1)
yakkety
Released (1:52.1.1+build1-0ubuntu0.16.10.1)
zesty
Released (1:52.1.1+build1-0ubuntu0.17.04.1)