CVE-2014-1561

MEDIUM

Description

Mozilla Firefox before 31.0 does not properly restrict use of drag-and-drop events to spoof customization events, which allows remote attackers to alter the placement of UI icons via crafted JavaScript code that is encountered during (1) page, (2) panel, or (3) toolbar customization.

References

http://secunia.com/advisories/59760

http://secunia.com/advisories/60628

http://www.mozilla.org/security/announce/2014/mfsa2014-60.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.securitytracker.com/id/1030619

https://bugzilla.mozilla.org/show_bug.cgi?id=1000514

https://bugzilla.mozilla.org/show_bug.cgi?id=910375

https://security.gentoo.org/glsa/201504-01

Details

Source: MITRE

Published: 2014-07-23

Updated: 2017-01-07

Type: CWE-264

Risk Information

CVSS v2.0

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM