CVE-2016-1954

The nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not prevent use of a non-HTTP report-uri for a Content Security Policy (CSP) violation report, which allows remote attackers to cause a denial of service (data overwrite) or possibly gain privileges by specifying a URL of a local file.

Affected Software

Name	Vendor	Start Version	End Version
Firefox	Mozilla	*	44.0.2 (including)
Firefox	Mozilla	38.0 (including)	38.0 (including)
Firefox	Mozilla	38.0.1 (including)	38.0.1 (including)
Firefox	Mozilla	38.0.5 (including)	38.0.5 (including)
Firefox	Mozilla	38.1.0 (including)	38.1.0 (including)
Firefox	Mozilla	38.1.1 (including)	38.1.1 (including)
Firefox	Mozilla	38.2.0 (including)	38.2.0 (including)
Firefox	Mozilla	38.2.1 (including)	38.2.1 (including)
Firefox	Mozilla	38.3.0 (including)	38.3.0 (including)
Firefox	Mozilla	38.4.0 (including)	38.4.0 (including)
Firefox	Mozilla	38.5.0 (including)	38.5.0 (including)
Firefox	Mozilla	38.5.1 (including)	38.5.1 (including)
Firefox	Mozilla	38.6.0 (including)	38.6.0 (including)
Firefox	Mozilla	38.6.1 (including)	38.6.1 (including)
Thunderbird	Mozilla	*	38.6.0 (including)
Firefox	Ubuntu	precise	*
Firefox	Ubuntu	trusty	*
Firefox	Ubuntu	upstream	*
Firefox	Ubuntu	wily	*
Thunderbird	Ubuntu	devel	*
Thunderbird	Ubuntu	precise	*
Thunderbird	Ubuntu	trusty	*
Thunderbird	Ubuntu	upstream	*
Thunderbird	Ubuntu	wily	*
Thunderbird	Ubuntu	xenial	*
Red Hat Enterprise Linux 5	RedHat	firefox-0:38.7.0-1.el5_11	*
Red Hat Enterprise Linux 5	RedHat	thunderbird-0:38.7.0-1.el5_11	*
Red Hat Enterprise Linux 6	RedHat	firefox-0:38.7.0-1.el6_7	*
Red Hat Enterprise Linux 6	RedHat	thunderbird-0:38.7.0-1.el6_7	*
Red Hat Enterprise Linux 7	RedHat	firefox-0:38.7.0-1.el7_2	*
Red Hat Enterprise Linux 7	RedHat	thunderbird-0:38.7.0-1.el7_2	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-1954
CWE	https://cwe.mitre.org/data/definitions/264.html

Affected Software

References