CVE-2017-7832

The combined, single character, version of the letter 'i' with any of the potential accents in unicode, such as acute or grave, can be spoofed in the addressbar by the dotless version of 'i' followed by the same accent as a second character with most font sets. This allows for domain spoofing attacks because these combined domain names do not display as punycode. This vulnerability affects Firefox < 57.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
mozillaCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
VendorProductVersion
mozillafirefox
𝑥
≤ 56.0.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
132.0.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
bionic
Fixed 57.0.1+build2-0ubuntu1
released
artful
Fixed 57.0+build4-0ubuntu0.17.10.5
released
zesty
Fixed 57.0+build4-0ubuntu0.17.04.5
released
xenial
Fixed 57.0+build4-0ubuntu0.16.04.5
released
trusty
Fixed 57.0+build4-0ubuntu0.14.04.4
released
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/101832
http://www.securitytracker.com/id/1039803
https://bugzilla.mozilla.org/show_bug.cgi?id=1408782
https://www.mozilla.org/security/advisories/mfsa2017-24/
http://www.securityfocus.com/bid/101832
http://www.securitytracker.com/id/1039803
https://bugzilla.mozilla.org/show_bug.cgi?id=1408782
https://www.mozilla.org/security/advisories/mfsa2017-24/