Search for vulnerabilities
Vulnerability details: VCID-asfc-cmcs-b7hm
Vulnerability ID VCID-asfc-cmcs-b7hm
Aliases CVE-2016-1954
Summary Security researcher Nicolas Golubovic reported that a malicious page can overwrite files on the user's machine using Content Security Policy (CSP) violation reports. The file contents are restricted to the JSON format of the report. In many cases overwriting a local file may simply be destructive, breaking the functionality of that file. The CSP error reports can include HTML fragments which could be rendered by browsers. If a user has disabled add-on signing and has installed an "unpacked" add-on, a malicious page could overwrite one of the add-on resources. Depending on how this resource is used, this could lead to privilege escalation. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
epss 0.05058 https://api.first.org/data/v1/epss?cve=CVE-2016-1954
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2016-17
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1954.json
https://api.first.org/data/v1/epss?cve=CVE-2016-1954
1315569 https://bugzilla.redhat.com/show_bug.cgi?id=1315569
CVE-2016-1954 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1954
mfsa2016-17 https://www.mozilla.org/en-US/security/advisories/mfsa2016-17
RHSA-2016:0373 https://access.redhat.com/errata/RHSA-2016:0373
RHSA-2016:0460 https://access.redhat.com/errata/RHSA-2016:0460
USN-2917-1 https://usn.ubuntu.com/2917-1/
USN-2934-1 https://usn.ubuntu.com/2934-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.89364
EPSS Score 0.05058
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:10:10.526523+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2016/mfsa2016-17.md 37.0.0