Vulnerability CVE-2014-1510
Published: 2014-03-19

Description:
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary JavaScript code with chrome privileges by using an IDL fragment to trigger a window.open call.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Firefox WebIDL Privileged Javascript Injection
joev
28.08.2014

Type:

CWE-94

 (Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Mozilla -> Firefox 
Mozilla -> Firefox esr 
Mozilla -> Seamonkey 
Mozilla -> Thunderbird 

 References:
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00022.html
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00016.html
http://rhn.redhat.com/errata/RHSA-2014-0310.html
http://rhn.redhat.com/errata/RHSA-2014-0316.html
http://www.debian.org/security/2014/dsa-2881
http://www.debian.org/security/2014/dsa-2911
http://www.mozilla.org/security/announce/2014/mfsa2014-29.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/66206
http://www.ubuntu.com/usn/USN-2151-1
https://bugzilla.mozilla.org/show_bug.cgi?id=982906
https://security.gentoo.org/glsa/201504-01
Copyright 2024, cxsecurity.com

 

Back to Top