Vulnerability CVE-2015-0802


Published: 2015-04-01

Description:
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
Firefox PDF.js Privileged Javascript Injection
joev
24.08.2015

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Opensuse -> Opensuse 
Novell -> Opensuse 
Mozilla -> Firefox 
Canonical -> Ubuntu linux 

 References:
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html
http://www.mozilla.org/security/announce/2015/mfsa2015-42.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securitytracker.com/id/1031996
http://www.ubuntu.com/usn/USN-2550-1
https://bugzilla.mozilla.org/show_bug.cgi?id=1124898
https://security.gentoo.org/glsa/201512-10
https://www.exploit-db.com/exploits/37958/

Copyright 2024, cxsecurity.com

 

Back to Top