PT-2014-1289 · Mozilla+5 · Thunderbird+8

Published

2014-04-29

·

Updated

2024-12-12

·

CVE-2014-1529

CVSS v2.0

9.3

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 29.0 Mozilla Firefox ESR versions prior to 24.5 Thunderbird versions prior to 24.5 SeaMonkey versions prior to 2.26
Description The issue allows remote attackers to bypass intended source-component restrictions and execute arbitrary JavaScript code in a privileged context via a crafted web page for which Notification.permission is granted. This is achieved by manipulating the web notification API component. The vulnerability is related to the function nsJSThunk::EvaluateScript.
Recommendations For Mozilla Firefox versions prior to 29.0, update to version 29.0 or later. For Mozilla Firefox ESR versions prior to 24.5, update to version 24.5 or later. For Thunderbird versions prior to 24.5, update to version 24.5 or later. For SeaMonkey versions prior to 2.26, update to version 2.26 or later. As a temporary workaround, consider disabling the web notification API component until a patch is available.

Exploit

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-269

Related Identifiers

ALT-PU-2014-1620
ALT-PU-2014-1621
ALT-PU-2014-1678
BDU:2015-00065
BDU:2015-00066
BDU:2015-00067
BDU:2015-00068
CESA-2014_0448
CESA-2014_0449
CVE-2014-1529
DSA-2918-1
DSA-2924-1
MGASA-2014-0201
MGASA-2014-0259
OPENSUSE-SU-2014_1100-1
OPENSUSE-SU-2024:10071-1
OPENSUSE-SU-2024:10230-1
OPENSUSE-SU-2024:14572-1
RHSA-2014:0448
RHSA-2014:0449
RHSA-2014_0448
RHSA-2014_0449
USN-2185-1
USN-2189-1

Affected Products

Alt Linux
Centos
Firefox
Firefox Esr
Red Hat
Seamonkey
Suse
Thunderbird
Ubuntu