CVE-2016-1965

Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 mishandle a navigation sequence that returns to the original page, which allows remote attackers to spoof the address bar via vectors involving the history.back method and the location.protocol property.

Published: Mar 13, 2016
Updated: Nov 9, 2025
CVE: CVE-2016-1965
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-254

Affected Software
References

Software	From	Fixed in
mozilla / firefox	-	44.0.2.x
opensuse / opensuse	13.1	13.1.x
oracle / linux	5.0	5.0.x
oracle / linux	6	6.x
oracle / linux	7	7.x
mozilla / firefox	38.0	38.0.x
mozilla / firefox	38.0.1	38.0.1.x
mozilla / firefox	38.0.5	38.0.5.x
mozilla / firefox	38.1.0	38.1.0.x
mozilla / firefox	38.1.1	38.1.1.x
mozilla / firefox	38.2.0	38.2.0.x
mozilla / firefox	38.2.1	38.2.1.x
mozilla / firefox	38.3.0	38.3.0.x
mozilla / firefox	38.4.0	38.4.0.x
mozilla / firefox	38.5.0	38.5.0.x
mozilla / firefox	38.5.1	38.5.1.x
mozilla / firefox	38.6.0	38.6.0.x
mozilla / firefox	38.6.1	38.6.1.x

Vulnerability Database

308,926

CVE-2016-1965

Deep Security Visibility Without the Complexity