Mozilla Firefox prior to 49.0, Firefox ESR 45.x prior to 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle malicious users to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mozilla firefox esr 45.0.1 |
||
mozilla firefox 45.0.2 |
||
mozilla firefox esr 45.1.1 |
||
mozilla firefox esr 45.2.0 |
||
mozilla firefox esr 45.3.0 |
||
mozilla firefox esr 45.0 |
||
mozilla firefox |