CVE-2016-9900
Publication date 13 December 2016
Last updated 24 July 2024
Ubuntu priority
External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of "data:" URLs. This could allow for cross-domain data leakage. This vulnerability affects Firefox < 50.1, Firefox ESR < 45.6, and Thunderbird < 45.6.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| firefox | ||
| 16.04 LTS xenial |
Fixed 50.1.0+build2-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 50.1.0+build2-0ubuntu0.14.04.1
|
|
| thunderbird | ||
| 16.04 LTS xenial |
Fixed 1:45.7.0+build1-0ubuntu0.16.04.1
|
|
| 14.04 LTS trusty |
Fixed 1:45.7.0+build1-0ubuntu0.14.04.1
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3155-1
- Firefox vulnerabilities
- 13 December 2016
- USN-3165-1
- Thunderbird vulnerabilities
- 28 January 2017