PT-2015-1048 · Mozilla+5 · Firefox+7

Boris Zbarsky

+1

·

Publicado

2015-03-31

·

Atualizado

2024-12-12

·

CVE-2015-0801

CVSS v2.0

7.5

Alta

VetorAV:N/AC:L/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 37.0 Firefox ESR versions 31.x prior to 31.6 Thunderbird versions prior to 31.6
Description The issue allows a remote attacker to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation. This can be achieved by exploiting the vulnerability in the affected software, allowing the attacker to perform actions with elevated privileges.
Recommendations For Mozilla Firefox versions prior to 37.0, update to version 37.0 or later to resolve the issue. For Firefox ESR versions 31.x prior to 31.6, update to version 31.6 or later to resolve the issue. For Thunderbird versions prior to 31.6, update to version 31.6 or later to resolve the issue. As a temporary workaround, consider restricting access to anchor navigation in the affected software until a patch is available.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-264

Identificadores relacionados

ALT-PU-2015-1374
ALT-PU-2015-1464
ALT-PU-2015-1584
BDU:2015-09900
BDU:2015-09901
BDU:2015-09902
CESA-2015_0766
CESA-2015_0771
CVE-2015-0801
DSA-3211-1
DSA-3212-1
MGASA-2015-0131
MGASA-2015-0342
OPENSUSE-SU-2015_0677-1
OPENSUSE-SU-2024:10071-1
OPENSUSE-SU-2024:10230-1
OPENSUSE-SU-2024:14572-1
RHSA-2015:0766
RHSA-2015:0771
RHSA-2015_0766
RHSA-2015_0771
SUSE-SU-2015:0704-1
SUSE-SU-2015:0704-2
SUSE-SU-2015_0704-1
SUSE-SU-2015_0704-2
SUSE-SU-2015_0706-1
USN-2550-1
USN-2552-1

Produtos afetados

Alt Linux
Centos
Firefox Esr
Firefox
Red Hat
Suse
Thunderbird
Ubuntu