CVE-2015-0801

Description

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

CVSS Metrics

• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 1.19%• Percentile: 79%

Techniques & Countermeasures

• CWE-264•Permissions, Privileges, and Access Controls

  Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Affected Systems

• Unknown•Firefox

  ≤ 31.5.3 | ≤ 36.0.4 | 31.0 | 31.1.0 | 31.1.1 | 31.3.0 | 31.5.1 | 31.5.2

• mozilla•firefox_esr

  31.1 | 31.2 | 31.3 | 31.4 | 31.5

• mozilla•thunderbird

  ≤ 31.5

References (17)

• https://bugzilla.mozilla.org/show_bug.cgi?id=1146339
• http://www.securitytracker.com/id/1031996
• http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html
• https://security.gentoo.org/glsa/201512-10
• http://www.debian.org/security/2015/dsa-3212
• http://www.mozilla.org/security/announce/2015/mfsa2015-40.html
• http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.html
• http://www.ubuntu.com/usn/USN-2552-1
• http://rhn.redhat.com/errata/RHSA-2015-0766.html
• http://www.securityfocus.com/bid/73455
• http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
• http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
• http://www.ubuntu.com/usn/USN-2550-1
• http://www.securitytracker.com/id/1032000
• http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html
• http://rhn.redhat.com/errata/RHSA-2015-0771.html
• http://www.debian.org/security/2015/dsa-3211