{"api_version":"1","generated_at":"2026-04-24T00:06:43+00:00","cve":"CVE-2017-7764","urls":{"html":"https://cve.report/CVE-2017-7764","api":"https://cve.report/api/cve/CVE-2017-7764.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-7764","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-7764"},"summary":{"title":"CVE-2017-7764","description":"Characters from the \"Canadian Syllabics\" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw \"punycode\" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from \"Aspirational Use Scripts\" such as Canadian Syllabics to be mixed with Latin characters in the \"moderately restrictive\" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as \"Limited Use Scripts.\". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2018-06-11 21:29:00","updated_at":"2018-08-13 19:37:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"http://www.securitytracker.com/id/1038689","name":"1038689","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox Multiple Bugs Let Remote Users Spoof URLs, Obtain Potentially Sensitive Information, and Execute Arbitrary Code and Let Local Users Gain Elevated Privileges - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/99057","name":"99057","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Mozilla Firefox Multiple Security Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.mozilla.org/security/advisories/mfsa2017-17/","name":"https://www.mozilla.org/security/advisories/mfsa2017-17/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Thunderbird 52.2 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1364283","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1364283","refsource":"CONFIRM","tags":["Exploit","Issue Tracking","Vendor Advisory"],"title":"1364283 - (CVE-2017-7764) Security: disallow \"Canadian Syllabics\" unicode block from IDN domains","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:1561","name":"RHSA-2017:1561","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2017/dsa-3881","name":"DSA-3881","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-3881-1 firefox-esr","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:1440","name":"RHSA-2017:1440","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2017-16/","name":"https://www.mozilla.org/security/advisories/mfsa2017-16/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox ESR 52.2 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts","name":"http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts","refsource":"MISC","tags":["Third Party Advisory"],"title":"UAX #31: Unicode Identifier and Pattern Syntax","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2017-15/","name":"https://www.mozilla.org/security/advisories/mfsa2017-15/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security vulnerabilities fixed in Firefox 54 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2017/dsa-3918","name":"DSA-3918","refsource":"DEBIAN","tags":["Third Party Advisory"],"title":"Debian -- Security Information -- DSA-3918-1 icedove","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-7764","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-7764","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"7764","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2017-7764","qid":"378160","title":"Virtuozzo Linux Security Update for firefox (VZLSA-2017:1440)"},{"cve":"CVE-2017-7764","qid":"378205","title":"Virtuozzo Linux Security Update for thunderbird (VZLSA-2017:1561)"},{"cve":"CVE-2017-7764","qid":"710287","title":"Gentoo Linux Mozilla Firefox Multiple Vulnerabilities (GLSA 201802-03)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@mozilla.org","ID":"CVE-2017-7764","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_affected":"<","version_value":"54"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_affected":"<","version_value":"52.2"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_affected":"<","version_value":"52.2"}]}}]},"vendor_name":"Mozilla"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Characters from the \"Canadian Syllabics\" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw \"punycode\" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from \"Aspirational Use Scripts\" such as Canadian Syllabics to be mixed with Latin characters in the \"moderately restrictive\" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as \"Limited Use Scripts.\". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Domain spoofing with combination of Canadian Syllabics and other unicode blocks"}]}]},"references":{"reference_data":[{"name":"99057","refsource":"BID","url":"http://www.securityfocus.com/bid/99057"},{"name":"http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts","refsource":"MISC","url":"http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts"},{"name":"https://www.mozilla.org/security/advisories/mfsa2017-15/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2017-15/"},{"name":"DSA-3918","refsource":"DEBIAN","url":"https://www.debian.org/security/2017/dsa-3918"},{"name":"1038689","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1038689"},{"name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1364283","refsource":"CONFIRM","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1364283"},{"name":"DSA-3881","refsource":"DEBIAN","url":"https://www.debian.org/security/2017/dsa-3881"},{"name":"RHSA-2017:1440","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:1440"},{"name":"RHSA-2017:1561","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:1561"},{"name":"https://www.mozilla.org/security/advisories/mfsa2017-17/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2017-17/"},{"name":"https://www.mozilla.org/security/advisories/mfsa2017-16/","refsource":"CONFIRM","url":"https://www.mozilla.org/security/advisories/mfsa2017-16/"}]}},"nvd":{"publishedDate":"2018-06-11 21:29:00","lastModifiedDate":"2018-08-13 19:37:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"54.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"52.2.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"52.2.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"7764","Ordinal":"104578","Title":"CVE-2017-7764","CVE":"CVE-2017-7764","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"7764","Ordinal":"1","NoteData":"Characters from the \"Canadian Syllabics\" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw \"punycode\" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from \"Aspirational Use Scripts\" such as Canadian Syllabics to be mixed with Latin characters in the \"moderately restrictive\" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as \"Limited Use Scripts.\". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"7764","Ordinal":"2","NoteData":"2018-06-11","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"7764","Ordinal":"3","NoteData":"2018-06-12","Type":"Other","Title":"Modified"}]}}}