{"api_version":"1","generated_at":"2026-04-23T12:32:43+00:00","cve":"CVE-2016-2820","urls":{"html":"https://cve.report/CVE-2016-2820","api":"https://cve.report/api/cve/CVE-2016-2820.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2016-2820","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2016-2820"},"summary":{"title":"CVE-2016-2820","description":"The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences by leveraging access to the remote-report IFRAME element.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2016-04-30 17:59:00","updated_at":"2017-07-01 01:29:00"},"problem_types":["CWE-284"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=870870","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=870870","refsource":"CONFIRM","tags":[],"title":"870870 - (CVE-2016-2820) FHR accepts events from untrusted domains","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201701-15","name":"GLSA-201701-15","refsource":"GENTOO","tags":[],"title":"Mozilla Firefox, Thunderbird: Multiple vulnerabilities (GLSA 201701-15) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html","name":"openSUSE-SU-2016:1211","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2016:1211-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html","name":"openSUSE-SU-2016:1251","refsource":"SUSE","tags":[],"title":"openSUSE-SU-2016:1251-1: moderate: Security update to Firefox 46.0","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mozilla.org/security/announce/2016/mfsa2016-48.html","name":"http://www.mozilla.org/security/announce/2016/mfsa2016-48.html","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Firefox Health Reports could accept events from untrusted domains — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2936-2","name":"USN-2936-2","refsource":"UBUNTU","tags":[],"title":"USN-2936-2: Oxygen-GTK3 update | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2936-1","name":"USN-2936-1","refsource":"UBUNTU","tags":[],"title":"USN-2936-1: Firefox vulnerabilities | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2936-3","name":"USN-2936-3","refsource":"UBUNTU","tags":[],"title":"USN-2936-3: Firefox regression | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1035692","name":"1035692","refsource":"SECTRACK","tags":[],"title":"Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Gain Elevated Privileges, Bypass Security Restrictions, and Obtain Potentially Sensitive Information - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2016-2820","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-2820","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2016","cve_id":"2820","vulnerable":"1","versionEndIncluding":"45.0.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2016-2820","qid":"710500","title":"Gentoo Linux Mozilla Firefox, Thunderbird Multiple Vulnerabilities (GLSA 201701-15)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2016-2820","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences by leveraging access to the remote-report IFRAME element."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"openSUSE-SU-2016:1211","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00005.html"},{"name":"1035692","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1035692"},{"name":"openSUSE-SU-2016:1251","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-updates/2016-05/msg00038.html"},{"name":"USN-2936-2","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2936-2"},{"name":"GLSA-201701-15","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201701-15"},{"name":"USN-2936-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2936-1"},{"name":"USN-2936-3","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2936-3"},{"name":"http://www.mozilla.org/security/announce/2016/mfsa2016-48.html","refsource":"CONFIRM","url":"http://www.mozilla.org/security/announce/2016/mfsa2016-48.html"},{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=870870","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=870870"}]}},"nvd":{"publishedDate":"2016-04-30 17:59:00","lastModifiedDate":"2017-07-01 01:29:00","problem_types":["CWE-284"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndIncluding":"45.0.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2016","CveId":"2820","Ordinal":"88678","Title":"CVE-2016-2820","CVE":"CVE-2016-2820","Year":"2016"},"notes":[{"CveYear":"2016","CveId":"2820","Ordinal":"1","NoteData":"The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences by leveraging access to the remote-report IFRAME element.","Type":"Description","Title":null},{"CveYear":"2016","CveId":"2820","Ordinal":"2","NoteData":"2016-04-30","Type":"Other","Title":"Published"},{"CveYear":"2016","CveId":"2820","Ordinal":"3","NoteData":"2017-06-30","Type":"Other","Title":"Modified"}]}}}