CVE-2017-5453

Publication date 20 April 2017

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

A mechanism to inject static HTML into the RSS reader preview page due to a failure to escape characters sent as URL parameters for a feed's "TITLE" element. This vulnerability allows for spoofing but no scripted content can be run. This vulnerability affects Firefox < 53.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	17.04 zesty	Fixed 53.0+build6-0ubuntu0.17.04.1
	16.10 yakkety	Fixed 53.0+build6-0ubuntu0.16.10.1
	16.04 LTS xenial	Fixed 53.0+build6-0ubuntu0.16.04.1
	14.04 LTS trusty	Fixed 53.0+build6-0ubuntu0.14.04.1
	12.04 LTS precise	Ignored
thunderbird	17.04 zesty	Not affected
	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Ignored end of life

Severity score breakdown

Parameter	Value
Base score	4.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	Low
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References

Related Ubuntu Security Notices (USN)

USN-3260-1
Firefox vulnerabilities
21 April 2017