PT-2014-1289 · Mozilla+5 · Thunderbird+8

Publicado

2014-04-29

·

Atualizado

2024-12-12

·

CVE-2014-1529

CVSS v2.0

9.3

Alta

VetorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 29.0 Mozilla Firefox ESR versions prior to 24.5 Thunderbird versions prior to 24.5 SeaMonkey versions prior to 2.26
Description The issue allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted. This is achieved by manipulating the web notification API component. The vulnerability is related to the function nsJSThunk::EvaluateScript.
Recommendations For Mozilla Firefox versions prior to 29.0, update to version 29.0 or later. For Mozilla Firefox ESR versions prior to 24.5, update to version 24.5 or later. For Thunderbird versions prior to 24.5, update to version 24.5 or later. For SeaMonkey versions prior to 2.26, update to version 2.26 or later. As a temporary workaround, consider disabling the web notification API component until a patch is available.

Exploit

Correção

Improper Privilege Management

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-264CWE-269

Identificadores relacionados

ALT-PU-2014-1620
ALT-PU-2014-1621
ALT-PU-2014-1678
BDU:2015-00065
BDU:2015-00066
BDU:2015-00067
BDU:2015-00068
CESA-2014_0448
CESA-2014_0449
CVE-2014-1529
DSA-2918-1
DSA-2924-1
MGASA-2014-0201
MGASA-2014-0259
OPENSUSE-SU-2014_1100-1
OPENSUSE-SU-2024:10071-1
OPENSUSE-SU-2024:10230-1
OPENSUSE-SU-2024:14572-1
RHSA-2014:0448
RHSA-2014:0449
RHSA-2014_0448
RHSA-2014_0449
USN-2185-1
USN-2189-1

Produtos afetados

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Seamonkey
Suse
Thunderbird
Ubuntu