UBUNTU-CVE-2016-5262

Details

Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 process JavaScript event-handler attributes of a MARQUEE element within a sandboxed IFRAME element that lacks the sandbox="allow-scripts" attribute value, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site.

Affected Packages

Ubuntu:14.04:LTSfirefox

Affected versions:

24.0+build1-0ubuntu125.0+build3-0ubuntu0.13.10.128.0+build1-0ubuntu128.0+build2-0ubuntu128.0+build2-0ubuntu228.0~b2+build1-0ubuntu229.0+build1-0ubuntu0.14.04.230.0+build1-0ubuntu0.14.04.331.0+build1-0ubuntu0.14.04.132.0+build1-0ubuntu0.14.04.1+32 more

Fixed in:

48.0+build2-0ubuntu0.14.04.1

Ubuntu:16.04:LTSfirefox

Affected versions:

41.0.2+build2-0ubuntu142.0+build2-0ubuntu144.0+build3-0ubuntu244.0.1+build1-0ubuntu144.0.2+build1-0ubuntu145.0+build2-0ubuntu145.0.1+build1-0ubuntu145.0.2+build1-0ubuntu146.0+build5-0ubuntu0.16.04.246.0.1+build1-0ubuntu0.16.04.2+1 more

Fixed in:

48.0+build2-0ubuntu0.16.04.1

References

REPORThttps://bugzilla.mozilla.org/show_bug.cgi?id=1277475 REPORThttps://ubuntu.com/security/CVE-2016-5262 REPORThttps://ubuntu.com/security/notices/USN-3044-1 REPORThttps://www.cve.org/CVERecord?id=CVE-2016-5262 REPORThttps://www.mozilla.org/en-US/security/advisories/mfsa2016-76/

UBUNTU-CVE-2016-5262

Details

Affected Packages

References

CVSS Analysis

Related

Ecosystems

Timeline