Cross-site Request Forgery (CSRF) Affecting firefox package, versions *


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.47% (76th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RHEL7-FIREFOX-1326251
  • published26 Jul 2021
  • disclosed3 Apr 2013

Introduced: 3 Apr 2013

CVE-2013-6167  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

There is no fixed version for RHEL:7 firefox.

NVD Description

Note: Versions mentioned in the description apply only to the upstream firefox package and not the firefox package as distributed by RHEL. See How to fix? for RHEL:7 relevant fixed versions and status.

Mozilla Firefox through 27 sends HTTP Cookie headers without first validating that they have the required character-set restrictions, which allows remote attackers to conduct the equivalent of a persistent Logout CSRF attack via a crafted parameter that forces a web application to set a malformed cookie within an HTTP response.

CVSS Scores

version 3.1