Vulnerability in Mozilla Firefox
CVE-2016-1960
Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) by…
EPSS: 0.865 (99.4th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Affected products
- Mozilla Firefox — versions 38.0, 38.0.1, 38.0.5
- Mozilla Thunderbird
- Oracle Linux — versions 5.0, 6, 7
- Opensuse Leap — versions 42.1
- Opensuse — versions 13.1, 13.2
- Suse Linux_enterprise — versions 12.0
- N/a — versions n/a
Public proof-of-concept exploits
References
- openSUSE-SU-2016:0894 (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
- security@mozilla.org (x_refsource_CONFIRM, Vendor Advisory)
- security@mozilla.org (x_refsource_CONFIRM, Issue Tracking)
- SUSE-SU-2016:0820 (vendor-advisory, x_refsource_SUSE)
- openSUSE-SU-2016:1767 (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
- security@mozilla.org (x_refsource_CONFIRM, Third Party Advisory)
- openSUSE-SU-2016:0731 (vendor-advisory, x_refsource_SUSE)
- SUSE-SU-2016:0727 (vendor-advisory, x_refsource_SUSE)
- openSUSE-SU-2016:1778 (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
- openSUSE-SU-2016:0876 (vendor-advisory, x_refsource_SUSE)
Frequently asked questions
- What is CVE-2016-1960?
- CVE-2016-1960 is a high-severity vulnerability in Mozilla Firefox. CVSS score: 8.8/10. Published 2016-03-13.
- How severe is CVE-2016-1960?
- High severity. CVSS v3 base score is 8.8 out of 10.
- Is CVE-2016-1960 known to be exploited?
- 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.