CVE-2015-0812

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 37.0

Description The issue allows an attacker controlling network traffic to bypass user authentication by deploying a specially crafted website and conducting a DNS spoofing attack against a mozilla.org subdomain. This is possible because the browser does not require an HTTPS session for lightweight theme add-on installations.

Recommendations For versions prior to 37.0, update to version 37.0 or later to resolve the issue. As a temporary workaround, consider restricting the installation of lightweight theme add-ons to only those that use HTTPS connections, and avoid using unsecured networks to minimize the risk of exploitation.