CVE-2017-7839
CVSS4.3
发布时间 :2018-06-11 17:29:11
修订时间 :2018-06-25 14:46:39
NMP    

[原文]Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks where users are convinced to copy and paste text into the addressbar. This vulnerability affects Firefox < 57.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-79 [在Web页面生成时对输入的转义处理不恰当(跨站脚本)]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7839
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7839
(官方数据源) NVD

- 其它链接及资源

http://www.securityfocus.com/bid/101832
(VENDOR_ADVISORY)  BID  101832
http://www.securitytracker.com/id/1039803
(VENDOR_ADVISORY)  SECTRACK  1039803
https://bugzilla.mozilla.org/show_bug.cgi?id=1402896
(UNKNOWN)  CONFIRM  https://bugzilla.mozilla.org/show_bug.cgi?id=1402896
https://www.mozilla.org/security/advisories/mfsa2017-24/
(VENDOR_ADVISORY)  CONFIRM  https://www.mozilla.org/security/advisories/mfsa2017-24/

- 漏洞信息 (F145015)

Ubuntu Security Notice USN-3477-1 (PacketStormID:F145015)
2017-11-17 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary,spoof
linux,ubuntu
CVE-2017-7826,CVE-2017-7827,CVE-2017-7828,CVE-2017-7830,CVE-2017-7831,CVE-2017-7832,CVE-2017-7833,CVE-2017-7834,CVE-2017-7835,CVE-2017-7837,CVE-2017-7838,CVE-2017-7839,CVE-2017-7840,CVE-2017-7842
[点击下载]

Ubuntu Security Notice 3477-1 - Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. Various other issues were also addressed.

===========================================================================
Ubuntu Security Notice USN-3477-1
November 16, 2017

firefox vulnerabilities
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Firefox could be made to crash or run programs as your login if it
opened a malicious website.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, read uninitialized
memory, obtain sensitive information, bypass same-origin restrictions,
bypass CSP protections, bypass mixed content blocking, spoof the
addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

It was discovered that javascript: URLs pasted in to the addressbar
would be executed instead of being blocked in some circumstances. If a
user were tricked in to copying a specially crafted URL in to the
addressbar, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7839)

It was discovered that exported bookmarks do not strip script elements
from user-supplied tags. If a user were tricked in to adding specially
crafted tags to bookmarks, exporting them and then opening the resulting
HTML file, an attacker could potentially exploit this to conduct
cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  firefox                         57.0+build4-0ubuntu0.17.10.5

Ubuntu 17.04:
  firefox                         57.0+build4-0ubuntu0.17.04.5

Ubuntu 16.04 LTS:
  firefox                         57.0+build4-0ubuntu0.16.04.5

Ubuntu 14.04 LTS:
  firefox                         57.0+build4-0ubuntu0.14.04.4

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3477-1
  CVE-2017-7826, CVE-2017-7827, CVE-2017-7828, CVE-2017-7830,
  CVE-2017-7831, CVE-2017-7832, CVE-2017-7833, CVE-2017-7834,
  CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7839,
  CVE-2017-7840, CVE-2017-7842

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.10.5
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.04.5
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.16.04.5
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.14.04.4



--qpIXQSNgfTHxCvxUcjWEmEx0rnmHrlE5s--

    

- 漏洞信息 (F145119)

Ubuntu Security Notice USN-3477-2 (PacketStormID:F145119)
2017-11-27 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary,spoof,javascript,vulnerability,xss
linux,ubuntu
CVE-2017-7828,CVE-2017-7830,CVE-2017-7831,CVE-2017-7832,CVE-2017-7833,CVE-2017-7834,CVE-2017-7835,CVE-2017-7837,CVE-2017-7838,CVE-2017-7839,CVE-2017-7840,CVE-2017-7842
[点击下载]

Ubuntu Security Notice 3477-2 - USN-3477-1 fixed vulnerabilities in Firefox. The update caused search suggestions to not be displayed when performing Google searches from the search bar. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. It was discovered that javascript: URLs pasted in to the addressbar would be executed instead of being blocked in some circumstances. If a user were tricked in to copying a specially crafted URL in to the addressbar, an attacker could potentially exploit this to conduct cross-site scripting attacks. It was discovered that exported bookmarks do not strip script elements from user-supplied tags. If a user were tricked in to adding specially crafted tags to bookmarks, exporting them and then opening the resulting HTML file, an attacker could potentially exploit this to conduct cross-site scripting attacks. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-3477-2
November 27, 2017

firefox regression
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3477-1 caused a regression in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-3477-1 fixed vulnerabilities in Firefox. The update caused search
suggestions to not be displayed when performing Google searches from the
search bar. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit these to cause a denial of service, read uninitialized
 memory, obtain sensitive information, bypass same-origin restrictions,
 bypass CSP protections, bypass mixed content blocking, spoof the
 addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
 CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
 CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)
 
 It was discovered that javascript: URLs pasted in to the addressbar
 would be executed instead of being blocked in some circumstances. If a
 user were tricked in to copying a specially crafted URL in to the
 addressbar, an attacker could potentially exploit this to conduct
 cross-site scripting (XSS) attacks. (CVE-2017-7839)
 
 It was discovered that exported bookmarks do not strip script elements
 from user-supplied tags. If a user were tricked in to adding specially
 crafted tags to bookmarks, exporting them and then opening the resulting
 HTML file, an attacker could potentially exploit this to conduct
 cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  firefox                         57.0+build4-0ubuntu0.17.10.6

Ubuntu 17.04:
  firefox                         57.0+build4-0ubuntu0.17.04.6

Ubuntu 16.04 LTS:
  firefox                         57.0+build4-0ubuntu0.16.04.6

Ubuntu 14.04 LTS:
  firefox                         57.0+build4-0ubuntu0.14.04.5

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3477-2
  https://www.ubuntu.com/usn/usn-3477-1
  https://launchpad.net/bugs/1733970

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.10.6
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.17.04.6
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.16.04.6
  https://launchpad.net/ubuntu/+source/firefox/57.0+build4-0ubuntu0.14.04.5


    

- 漏洞信息 (F145186)

Ubuntu Security Notice USN-3477-3 (PacketStormID:F145186)
2017-12-01 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary,spoof,javascript,vulnerability,xss
linux,ubuntu
CVE-2017-7828,CVE-2017-7830,CVE-2017-7831,CVE-2017-7832,CVE-2017-7833,CVE-2017-7834,CVE-2017-7835,CVE-2017-7837,CVE-2017-7838,CVE-2017-7839,CVE-2017-7840,CVE-2017-7842
[点击下载]

Ubuntu Security Notice 3477-3 - USN-3477-1 fixed vulnerabilities in Firefox. The update introduced various minor regressions. This update fixes the problems. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. It was discovered that javascript: URLs pasted in to the addressbar would be executed instead of being blocked in some circumstances. If a user were tricked in to copying a specially crafted URL in to the addressbar, an attacker could potentially exploit this to conduct cross-site scripting attacks. It was discovered that exported bookmarks do not strip script elements from user-supplied tags. If a user were tricked in to adding specially crafted tags to bookmarks, exporting them and then opening the resulting HTML file, an attacker could potentially exploit this to conduct cross-site scripting attacks. Various other issues were also addressed.

==========================================================================
Ubuntu Security Notice USN-3477-3
December 01, 2017

firefox regressions
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3477-1 caused some minor regressions in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-3477-1 fixed vulnerabilities in Firefox. The update introduced various
minor regressions. This update fixes the problems.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit these to cause a denial of service, read uninitialized
 memory, obtain sensitive information, bypass same-origin restrictions,
 bypass CSP protections, bypass mixed content blocking, spoof the
 addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
 CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
 CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)
 
 It was discovered that javascript: URLs pasted in to the addressbar
 would be executed instead of being blocked in some circumstances. If a
 user were tricked in to copying a specially crafted URL in to the
 addressbar, an attacker could potentially exploit this to conduct
 cross-site scripting (XSS) attacks. (CVE-2017-7839)
 
 It was discovered that exported bookmarks do not strip script elements
 from user-supplied tags. If a user were tricked in to adding specially
 crafted tags to bookmarks, exporting them and then opening the resulting
 HTML file, an attacker could potentially exploit this to conduct
 cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  firefox                         57.0.1+build2-0ubuntu0.17.10.1

Ubuntu 17.04:
  firefox                         57.0.1+build2-0ubuntu0.17.04.1

Ubuntu 16.04 LTS:
  firefox                         57.0.1+build2-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  firefox                         57.0.1+build2-0ubuntu0.14.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3477-3
  https://www.ubuntu.com/usn/usn-3477-1
  https://launchpad.net/bugs/1735801

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/57.0.1+build2-0ubuntu0.17.10.1
  https://launchpad.net/ubuntu/+source/firefox/57.0.1+build2-0ubuntu0.17.04.1
  https://launchpad.net/ubuntu/+source/firefox/57.0.1+build2-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/firefox/57.0.1+build2-0ubuntu0.14.04.1


    

- 漏洞信息 (F145616)

Ubuntu Security Notice USN-3477-4 (PacketStormID:F145616)
2018-01-03 00:00:00
Ubuntu  security.ubuntu.com
advisory,denial of service,arbitrary,spoof,vulnerability
linux,ubuntu
CVE-2017-7828,CVE-2017-7830,CVE-2017-7831,CVE-2017-7832,CVE-2017-7833,CVE-2017-7834,CVE-2017-7835,CVE-2017-7837,CVE-2017-7838,CVE-2017-7839,CVE-2017-7840,CVE-2017-7842
[点击下载]

Ubuntu Security Notice 3477-4 - USN-3477-1 fixed vulnerabilities in Firefox. The update introduced a crash reporting issue where background tab crash reports were sent to Mozilla without user opt-in. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, read uninitialized memory, obtain sensitive information, bypass same-origin restrictions, bypass CSP protections, bypass mixed content blocking, spoof the addressbar, or execute arbitrary code. Various other issues were also addressed.

===========================================================================
Ubuntu Security Notice USN-3477-4
January 03, 2018

firefox regression
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.10
- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

USN-3477-1 caused a regression in Firefox.

Software Description:
- firefox: Mozilla Open Source web browser

Details:

USN-3477-1 fixed vulnerabilities in Firefox. The update introduced a
crash reporting issue where background tab crash reports were sent to
Mozilla without user opt-in. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were
 tricked in to opening a specially crafted website, an attacker could
 potentially exploit these to cause a denial of service, read uninitialized
 memory, obtain sensitive information, bypass same-origin restrictions,
 bypass CSP protections, bypass mixed content blocking, spoof the
 addressbar, or execute arbitrary code. (CVE-2017-7826, CVE-2017-7827,
 CVE-2017-7828, CVE-2017-7830, CVE-2017-7831, CVE-2017-7832, CVE-2017-7833,
 CVE-2017-7834, CVE-2017-7835, CVE-2017-7837, CVE-2017-7838, CVE-2017-7842)

 It was discovered that javascript: URLs pasted in to the addressbar
 would be executed instead of being blocked in some circumstances. If a
 user were tricked in to copying a specially crafted URL in to the
 addressbar, an attacker could potentially exploit this to conduct
 cross-site scripting (XSS) attacks. (CVE-2017-7839)

 It was discovered that exported bookmarks do not strip script elements
 from user-supplied tags. If a user were tricked in to adding specially
 crafted tags to bookmarks, exporting them and then opening the resulting
 HTML file, an attacker could potentially exploit this to conduct
 cross-site scripting (XSS) attacks. (CVE-2017-7840)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.10:
  firefox                         57.0.3+build1-0ubuntu0.17.10.1

Ubuntu 17.04:
  firefox                         57.0.3+build1-0ubuntu0.17.04.1

Ubuntu 16.04 LTS:
  firefox                         57.0.3+build1-0ubuntu0.16.04.1

Ubuntu 14.04 LTS:
  firefox                         57.0.3+build1-0ubuntu0.14.04.1

After a standard system update you need to restart Firefox to make
all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3477-4
  https://www.ubuntu.com/usn/usn-3477-1
  https://launchpad.net/bugs/1741048

Package Information:
  https://launchpad.net/ubuntu/+source/firefox/57.0.3+build1-0ubuntu0.17.10.1
  https://launchpad.net/ubuntu/+source/firefox/57.0.3+build1-0ubuntu0.17.04.1
  https://launchpad.net/ubuntu/+source/firefox/57.0.3+build1-0ubuntu0.16.04.1
  https://launchpad.net/ubuntu/+source/firefox/57.0.3+build1-0ubuntu0.14.04.1



--CipaFDVl03bSXHd3wjb1HM8A1BQIVfQJh--

    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站