Bug 977388 - (CVE-2016-2820) VUL-0: CVE-2016-2820: MozillaFirefox: Firefox Health Reports could accept events from untrusted domains (MFSA 2016-48)
(CVE-2016-2820)
VUL-0: CVE-2016-2820: MozillaFirefox: Firefox Health Reports could accept eve...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All All
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on: 977333
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-27 08:56 UTC by Andreas Stieger
Modified: 2020-04-05 18:21 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-27 08:56:44 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2016-48/

Mozilla engineer Mark Goodwin discovered that the Firefox Health Report (about:healthreport) accepts certain events from any content document present in the remote-report iframe. If there were another vulnerability that allowed the injection of web content into the Firefox Health Report iframe, this content could change the sharing preferences of a user by firing the appropriate events at it s containing page. 

FHR accepts events from untrusted domains (CVE-2016-2820)
https://bugzilla.mozilla.org/show_bug.cgi?id=870870

openSUSE only.
Comment 1 Swamp Workflow Management 2016-04-27 22:02:27 UTC
bugbot adjusting priority
Comment 2 Andreas Stieger 2016-04-30 10:21:28 UTC
openSUSE submitted, updates running
Comment 3 Swamp Workflow Management 2016-05-04 13:10:20 UTC
openSUSE-SU-2016:1211-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977333,977373,977375,977376,977379,977381,977382,977384,977386,977388
CVE References: CVE-2016-2804,CVE-2016-2806,CVE-2016-2807,CVE-2016-2808,CVE-2016-2811,CVE-2016-2812,CVE-2016-2814,CVE-2016-2816,CVE-2016-2817,CVE-2016-2820
Sources used:
openSUSE Leap 42.1 (src):    MozillaFirefox-46.0-21.1, mozilla-nss-3.22.3-15.2
openSUSE 13.2 (src):    MozillaFirefox-46.0-68.1, mozilla-nss-3.22.3-31.1
Comment 4 Swamp Workflow Management 2016-05-06 14:09:41 UTC
openSUSE-SU-2016:1251-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 977333,977373,977375,977376,977377,977378,977379,977380,977381,977382,977384,977386,977388
CVE References: CVE-2016-2804,CVE-2016-2806,CVE-2016-2807,CVE-2016-2808,CVE-2016-2809,CVE-2016-2810,CVE-2016-2811,CVE-2016-2812,CVE-2016-2813,CVE-2016-2814,CVE-2016-2816,CVE-2016-2817,CVE-2016-2820
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-46.0-113.2, mozilla-nss-3.22.3-77.1
Comment 5 Marcus Meissner 2016-11-18 20:00:58 UTC
released