VulnerableCode Package Details - pkg:alpm/archlinux/firefox@50.0-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-xr17-y674-t3bg Aliases: CVE-2016-9078	Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. Note: This issue only affects Firefox 49 and 50.	50.0.2-1 Affected by 13 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xsjn-fjrv-hfa8 Aliases: CVE-2016-9079	A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.	50.0.2-1 Affected by 13 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-xr17-y674-t3bg
Aliases:
CVE-2016-9078

Redirection from an HTTP connection to a data: URL assigns the referring site's origin to the data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them. *Note: This issue only affects Firefox 49 and 50.*

50.0.2-1
Affected by 13 other vulnerabilities.

VCID-xsjn-fjrv-hfa8
Aliases:
CVE-2016-9079

A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.

50.0.2-1
Affected by 13 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1jzs-bnnf-e7a1	During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash.	CVE-2016-5292
VCID-39aj-qv27-23f1	A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections.	CVE-2016-9070
VCID-3z29-h785-4yhn	An integer overflow during the parsing of XML using the Expat library.	CVE-2016-9063
VCID-62jc-8yn4-dfbw	Canvas allows the use of the feDisplacementMap filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel, allowing for timing attacks when the images are loaded from third party locations.	CVE-2016-9077
VCID-6ts4-3n4j-8fex	Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Thunderbird ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.	CVE-2016-5290
VCID-7199-x8bb-37ga	Two use-after-free errors during DOM operations resulting in potentially exploitable crashes.	CVE-2016-9067
VCID-79r3-41uf-euhw	An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission.	CVE-2016-9075
VCID-7znj-3ah1-eba6	Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history.	CVE-2016-9071
VCID-b9yp-ypbq-7uah	WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox.	CVE-2016-9073
VCID-g1wr-ze1x-dfgg	A use-after-free during web animations when working with timelines resulting in a potentially exploitable crash.	CVE-2016-9068
VCID-hc2b-dh1h-9fhv	An issue where a <select> dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function.	CVE-2016-9076
VCID-kphr-u6t6-yqeh	A same-origin policy bypass with local shortcut files to load arbitrary local content from disk.	CVE-2016-5291
VCID-mhc7-38eq-xqh2	A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data.	CVE-2016-9066
VCID-q784-ydu7-vkfy	Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.	CVE-2016-5289
VCID-s4th-dr22-h3hg	Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update.	CVE-2016-9064
VCID-uw53-wc7r-afgd	A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash.	CVE-2016-5296
VCID-x664-xzxa-ckbe	An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues.	CVE-2016-5297

Vulnerability

Summary

Aliases

VCID-1jzs-bnnf-e7a1

During URL parsing, a maliciously crafted URL can cause a potentially exploitable crash.

CVE-2016-5292

VCID-39aj-qv27-23f1

A maliciously crafted page loaded to the sidebar through a bookmark can reference a privileged chrome window and engage in limited JavaScript operations violating cross-origin protections.

CVE-2016-9070

VCID-3z29-h785-4yhn

An integer overflow during the parsing of XML using the Expat library.

CVE-2016-9063

VCID-62jc-8yn4-dfbw

Canvas allows the use of the feDisplacementMap filter on images loaded cross-origin. The rendering by the filter is variable depending on the input pixel, allowing for timing attacks when the images are loaded from third party locations.

CVE-2016-9077

VCID-6ts4-3n4j-8fex

Mozilla developers and community members Olli Pettay, Christian Holler, Ehsan Akhgari, Jon Coppeard, Gary Kwong, Tooru Fujisawa, Philipp, and Randell Jesup reported memory safety bugs present in Thunderbird ESR 45.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

CVE-2016-5290

VCID-7199-x8bb-37ga

Two use-after-free errors during DOM operations resulting in potentially exploitable crashes.

CVE-2016-9067

VCID-79r3-41uf-euhw

An issue where WebExtensions can use the mozAddonManager API to elevate privilege due to privileged pages being allowed in the permissions list. This allows a malicious extension to then install additional extensions without explicit user permission.

CVE-2016-9075

VCID-7znj-3ah1-eba6

Content Security Policy combined with HTTP to HTTPS redirection can be used by malicious server to verify whether a known site is within a user's browser history.

CVE-2016-9071

VCID-b9yp-ypbq-7uah

WebExtensions can bypass security checks to load privileged URLs and potentially escape the WebExtension sandbox.

CVE-2016-9073

VCID-g1wr-ze1x-dfgg

A use-after-free during web animations when working with timelines resulting in a potentially exploitable crash.

CVE-2016-9068

VCID-hc2b-dh1h-9fhv

An issue where a <select> dropdown menu can be used to cover location bar content, resulting in potential spoofing attacks. This attack requires e10s to be enabled in order to function.

CVE-2016-9076

VCID-kphr-u6t6-yqeh

A same-origin policy bypass with local shortcut files to load arbitrary local content from disk.

CVE-2016-5291

VCID-mhc7-38eq-xqh2

A buffer overflow resulting in a potentially exploitable crash due to memory allocation issues when handling large amounts of incoming data.

CVE-2016-9066

VCID-q784-ydu7-vkfy

Mozilla developers and community members Christian Holler, Andrew McCreight, Dan Minor, Tyson Smith, Jon Coppeard, Jan-Ivar Bruaroey, Jesse Ruderman, and Markus Stange reported memory safety bugs present in Firefox 49. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

CVE-2016-5289

VCID-s4th-dr22-h3hg

Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update.

CVE-2016-9064

VCID-uw53-wc7r-afgd

A heap-buffer-overflow in Cairo when processing SVG content caused by compiler optimization, resulting in a potentially exploitable crash.

CVE-2016-5296

VCID-x664-xzxa-ckbe

An error in argument length checking in JavaScript, leading to potential integer overflows or other bounds checking issues.

CVE-2016-5297

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-31T11:35:51.756110+00:00	Arch Linux Importer	Fixing	VCID-q784-ydu7-vkfy	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.727261+00:00	Arch Linux Importer	Fixing	VCID-6ts4-3n4j-8fex	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.700418+00:00	Arch Linux Importer	Fixing	VCID-kphr-u6t6-yqeh	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.671355+00:00	Arch Linux Importer	Fixing	VCID-1jzs-bnnf-e7a1	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.644879+00:00	Arch Linux Importer	Fixing	VCID-uw53-wc7r-afgd	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.616635+00:00	Arch Linux Importer	Fixing	VCID-x664-xzxa-ckbe	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.587770+00:00	Arch Linux Importer	Fixing	VCID-3z29-h785-4yhn	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.560488+00:00	Arch Linux Importer	Fixing	VCID-s4th-dr22-h3hg	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.533445+00:00	Arch Linux Importer	Fixing	VCID-mhc7-38eq-xqh2	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.506503+00:00	Arch Linux Importer	Fixing	VCID-7199-x8bb-37ga	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.480080+00:00	Arch Linux Importer	Fixing	VCID-g1wr-ze1x-dfgg	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.453953+00:00	Arch Linux Importer	Fixing	VCID-39aj-qv27-23f1	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.426190+00:00	Arch Linux Importer	Fixing	VCID-7znj-3ah1-eba6	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.399896+00:00	Arch Linux Importer	Fixing	VCID-b9yp-ypbq-7uah	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.372905+00:00	Arch Linux Importer	Fixing	VCID-79r3-41uf-euhw	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.346711+00:00	Arch Linux Importer	Fixing	VCID-hc2b-dh1h-9fhv	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:51.320577+00:00	Arch Linux Importer	Fixing	VCID-62jc-8yn4-dfbw	https://security.archlinux.org/AVG-72	37.0.0
2025-07-31T11:35:47.762031+00:00	Arch Linux Importer	Affected by	VCID-xr17-y674-t3bg	https://security.archlinux.org/AVG-90	37.0.0
2025-07-31T11:35:47.734416+00:00	Arch Linux Importer	Affected by	VCID-xsjn-fjrv-hfa8	https://security.archlinux.org/AVG-90	37.0.0

2025-07-31T11:35:51.756110+00:00

Arch Linux Importer

Fixing

Next non-vulnerable version	52.0-1
Latest non-vulnerable version	101.0-1
Risk	10.0