CVE-2016-9064

Source
Severity High
Remote Yes
Type Insufficient validation
Description
Add-on updates failed to verify that the add-on ID inside the signed package matched the ID of the add-on being updated. An attacker who could perform a man-in-the-middle attack on the user's connection to the update server and defeat the certificate pinning protection could provide a malicious signed add-on instead of a valid update.
Group Package Affected Fixed Severity Status Ticket
AVG-72 firefox 49.0.2-1 50.0-1 Critical Fixed
Date Advisory Group Package Severity Description
16 Nov 2016 ASA-201611-16 AVG-72 firefox Critical multiple issues
References
https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/#CVE-2016-9064