CVE-2016-1940 - Vulnerability Details - OpenCVE

Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Android
Mozilla	Firefox

Configuration 1 [-]

AND

cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.mozilla.org/security/announce/2016/mfsa2016-05.html
http://www.securitytracker.com/id/1034825
https://bugzilla.mozilla.org/show_bug.cgi?id=1208525
https://security.gentoo.org/glsa/201605-06

History

No history.

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2016-01-31T18:00:00

Updated: 2024-08-05T23:10:40.233Z

Reserved: 2016-01-20T00:00:00

Link: CVE-2016-1940

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-01-31T18:59:06.917

Modified: 2025-04-12T10:46:40.837

Link: CVE-2016-1940

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-26T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-09T09:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "1034825", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034825"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1208525"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-05.html"}, {"name": "GLSA-201605-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201605-06"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2016-1940", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1034825", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034825"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1208525", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1208525"}, {"name": "http://www.mozilla.org/security/announce/2016/mfsa2016-05.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-05.html"}, {"name": "GLSA-201605-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201605-06"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:10:40.233Z"}, "title": "CVE Program Container", "references": [{"name": "1034825", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034825"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1208525"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-05.html"}, {"name": "GLSA-201605-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201605-06"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2016-1940", "datePublished": "2016-01-31T18:00:00", "dateReserved": "2016-01-20T00:00:00", "dateUpdated": "2024-08-05T23:10:40.233Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:*:*:*:*:*:*:*:*", "matchCriteriaId": "8255F035-04C8-4158-B301-82101711939C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "11233031-7034-4B56-8D8A-FCBD100B26F3", "versionEndIncluding": "43.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing."}, {"lang": "es", "value": "Mozilla Firefox en versiones anteriores a 44.0 en Android permite a atacantes remotos suplantar la barra de direcciones a trav\u00e9s de un data: URL que se maneja incorrectamente durante el procesamiento de (1) la apertura de un acceso directo o (2) un BOOKMARK intent."}], "id": "CVE-2016-1940", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-01-31T18:59:06.917", "references": [{"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-05.html"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1034825"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1208525"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/201605-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2016/mfsa2016-05.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1034825"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1208525"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201605-06"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-17"}], "source": "nvd@nist.gov", "type": "Primary"}]}