Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2016-1954 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers Mozilla Thunderbird Client/Desktop applications / Messaging software Oracle Solaris Operating systems & Components / Operating system Oracle Linux Operating systems & Components / Operating system |
Vendor |
Mozilla Oracle |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU1018
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-1954
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to improper input validation. By convincing a victim to visit a malicious website, attackers can overwrite an add-on resource that may lead to denial of service or privilege escalation.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
Update Firefox to version 45.
Update Firefox ESR to version 38.7.
Update Thunderbird to version 38.7 or 45.
Mozilla Firefox: 40.0 - 44.0
Firefox ESR: 38.0 - 38.6.0
Mozilla Thunderbird: 34.0 - 38.6
Oracle Solaris: 11.3
Oracle Linux: 5 - 7
External linkshttp://tools.cisco.com/security/center/viewAlert.x?alertId=43941
http://www.mozilla.org/en-US/security/advisories/mfsa2016-17/
http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.