ID CVE-2016-1948
Summary Mozilla Firefox before 44.0 on Android does not ensure that HTTPS is used for a lightweight-theme installation, which allows man-in-the-middle attackers to replace a theme's images and colors by modifying the client-server data stream.
References
Vulnerable Configurations
  • cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
    cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
  • cpe:2.3:a:mozilla:firefox:43.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:firefox:43.0.4:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 10-09-2017 - 01:29)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
refmap via4
confirm
gentoo GLSA-201605-06
sectrack 1034825
Last major update 10-09-2017 - 01:29
Published 31-01-2016 - 18:59
Last modified 10-09-2017 - 01:29
Back to Top