PT-2015-1966 · Mozilla+5 · Firefox+6

Bas Venis

Publicado

2015-08-27

Atualizado

2024-12-12

CVE-2015-4498

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 40.0.3 Firefox ESR versions prior to 38.2.1

Description The issue is related to the add-on installation feature, which allows remote attackers to bypass the intended user-confirmation requirement. This can be achieved by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain point in the installation process. The vulnerability is associated with errors in security settings, enabling a remote attacker to bypass the user confirmation procedure for installing updates using specially formed data.

Recommendations For Mozilla Firefox versions prior to 40.0.3, update to version 40.0.3 or later. For Firefox ESR versions prior to 38.2.1, update to version 38.2.1 or later.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-254

Identificadores relacionados

ALT-PU-2015-1816

ALT-PU-2016-1454

BDU:2015-11312

CESA-2015_1693

CVE-2015-4498

DSA-3345-1

MGASA-2015-0331

OPENSUSE-SU-2024:10071-1

OPENSUSE-SU-2024:14572-1

RHSA-2015:1693

RHSA-2015_1693

SUSE-SU-2015:1476-1

SUSE-SU-2015:1504-1

USN-2723-1

Produtos afetados

Alt Linux

Centos

Firefox Esr

Firefox

Red Hat

Suse

Ubuntu

PT-2015-1966 · Mozilla+5 · Firefox+6

CVE-2015-4498

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 2388