PT-2014-1146 · Mozilla+2 · Firefox+3
Published
2014-02-04
·
Updated
2024-12-12
·
CVE-2014-1485
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Mozilla Firefox versions prior to 27.0
SeaMonkey versions prior to 2.24
Description
The Content Security Policy (CSP) implementation operates on XSLT stylesheets according to style-src directives instead of script-src directives. This might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions. The issue is related to an error in the implementation of the Content Security Policy when working with XSLT stylesheets, allowing remote attackers to execute arbitrary XSLT code using insufficient style-src directive restrictions.
Recommendations
For Mozilla Firefox versions prior to 27.0, update to version 27.0 or later to resolve the issue.
For SeaMonkey versions prior to 2.24, update to version 2.24 or later to resolve the issue.
As a temporary workaround, consider restricting the use of style-src directives in the Content Security Policy to minimize the risk of exploitation.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Firefox
Seamonkey
Suse