CVE-2016-5284

HIGH Year: 2016
CVSS v3 Score
7.4
High
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-20
View all →

Vulnerability Description

Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.

Related Vulnerabilities

CVE-2012-0051

HIGH
CVSS:7.4(High)

Tahoe-LAFS 1.9.0 fails to ensure integrity which allows remote attackers to corrupt mutable files or directories upon retrieval.

CWE-202012

CVE-2012-1326

HIGH
CVSS:7.4(High)

Cisco IronPort Web Security Appliance up to and including 7.5 does not validate the basic constraints of the certificate authority which could lead to MITM attacks

CWE-202012

CVE-2013-0243

HIGH
CVSS:7.4(High)

haskell-tls-extra before 0.6.1 has Basic Constraints attribute vulnerability may lead to Man in the Middle attacks on TLS connections

CWE-202013

CVE-2015-8331

HIGH
CVSS:7.4(High)

The Operation and Maintenance Unit (OMU) in Huawei VCN500 with software before V100R002C00SPC200 does not properly invalidate the session ID when an "abnormal exit" occurs, which allows remote attacke...

CWE-202015

CVE-2015-8466

HIGH
CVSS:7.4(High)

Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header.

CWE-202015

CVE-2015-8870

HIGH
CVSS:7.4(High)

Integer overflow in tools/bmp2tiff.c in LibTIFF before 4.0.4 allows remote attackers to cause a denial of service (heap-based buffer over-read), or possibly obtain sensitive information from process m...

CWE-202015