Mozilla Firefox prior to 39.0, Firefox ESR 38.x prior to 38.1, and Thunderbird prior to 38.1 do not enforce key pinning upon encountering an X.509 certificate problem that generates a user dialog, which allows user-assisted man-in-the-middle malicious users to bypass intended access restrictions by triggering a (1) expired certificate or (2) mismatched hostname for a domain with pinning enabled.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mozilla firefox |
||
oracle solaris 11.3 |
||
mozilla firefox esr 38.0 |
||
mozilla firefox esr 31.4 |
||
mozilla firefox esr 31.3.0 |
||
mozilla firefox esr 31.5.3 |
||
mozilla firefox esr 31.5.2 |
||
mozilla firefox esr 31.1.1 |
||
mozilla firefox esr 31.1.0 |
||
mozilla firefox esr 31.5.1 |
||
mozilla firefox esr 31.5 |
||
mozilla firefox esr 31.1 |
||
mozilla firefox esr 31.0 |
||
mozilla firefox esr 31.7.0 |
||
mozilla firefox esr 31.6.0 |
||
mozilla firefox esr 31.3 |
||
mozilla firefox esr 31.2 |