PT-2015-1966 · Mozilla+5 · Firefox+6

Bas Venis

Published

2015-08-27

Updated

2024-12-12

CVE-2015-4498

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 40.0.3 Firefox ESR versions prior to 38.2.1

Description The issue is related to the add-on installation feature, which allows remote attackers to bypass the intended user-confirmation requirement. This can be achieved by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain point in the installation process. The vulnerability is associated with errors in security settings, enabling a remote attacker to bypass the user confirmation procedure for installing updates using specially formed data.

Recommendations For Mozilla Firefox versions prior to 40.0.3, update to version 40.0.3 or later. For Firefox ESR versions prior to 38.2.1, update to version 38.2.1 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-254

Related Identifiers

ALT-PU-2015-1816

ALT-PU-2016-1454

BDU:2015-11312

CESA-2015_1693

CVE-2015-4498

DSA-3345-1

MGASA-2015-0331

OPENSUSE-SU-2024:10071-1

OPENSUSE-SU-2024:14572-1

RHSA-2015:1693

RHSA-2015_1693

SUSE-SU-2015:1476-1

SUSE-SU-2015:1504-1

USN-2723-1

Affected Products

Alt Linux

Centos

Firefox Esr

Firefox

Red Hat

Suse

Ubuntu

PT-2015-1966 · Mozilla+5 · Firefox+6

CVE-2015-4498

Weakness Enumeration

Related Identifiers

Affected Products

References · 2388