CVE-2016-2831 — HIGH (8.8) — White Hats Nepal

Vulnerability Description

Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that the user approves the fullscreen and pointerlock settings, which allows remote attackers to cause a denial of service (UI outage), or conduct clickjacking or spoofing attacks, via a crafted web site.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Canonical	Ubuntu Linux	12.04
Mozilla	Firefox	45.1.0
Debian	Debian Linux	8.0
Opensuse	Leap	42.1
Opensuse	Opensuse	13.1

Related Weaknesses (CWE)

CWE-284 CWE-254

References

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00014.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00055.htmlMailing ListThird Party Advisory
http://www.debian.org/security/2016/dsa-3600Third Party Advisory
http://www.mozilla.org/security/announce/2016/mfsa2016-58.htmlVendor Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.h
http://www.securityfocus.com/bid/91075
http://www.securitytracker.com/id/1036057Third Party Advisory
http://www.ubuntu.com/usn/USN-2993-1Third Party Advisory
https://access.redhat.com/errata/RHSA-2016:1217Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1261933Issue TrackingPermissions Required
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00014.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00016.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00055.htmlMailing ListThird Party Advisory
http://www.debian.org/security/2016/dsa-3600Third Party Advisory

FAQ

What is CVE-2016-2831?

CVE-2016-2831 is a vulnerability with a CVSS score of 8.8 (HIGH). Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that the user approves the fullscreen and pointerlock settings, which allows remote attackers to cause a denial of service (U...

How severe is CVE-2016-2831?

CVE-2016-2831 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-2831?

Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Mozilla Firefox, Debian Debian Linux, Opensuse Leap, Opensuse Opensuse.