Mozilla Firefox before 31.1 on Android does not properly restrict copying of local files onto the SD card during processing of file: URLs, which allows attackers to obtain sensitive information from the Firefox profile directory via a crafted application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1515.

The remote host is affected by the vulnerability described in GLSA-201504-01 (Mozilla Products: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Firefox, Thunderbird,       and SeaMonkey. Please review the CVE identifiers referenced below for       details.
  Impact :

    A remote attacker could entice a user to view a specially crafted web       page or email, possibly resulting in execution of arbitrary code or a       Denial of Service condition. Furthermore, a remote attacker may be able       to perform Man-in-the-Middle attacks, obtain sensitive information, spoof       the address bar, conduct clickjacking attacks, bypass security       restrictions and protection mechanisms,  or have other unspecified       impact.
  Workaround :

    There are no known workarounds at this time.

Versions of Mozilla Firefox older than 32 (or 31.1) contain an information disclosure vulnerability wherein a file: protocol hyperlink could link to a local file in the Firefox profile directory, bypassing access restrictions. This issue was only incompletely addressed by a previous version but has since been more fully patched.

ID	Name	Product	Family	Severity
82632	GLSA-201504-01 : Mozilla Products: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
8372	Mozilla Firefox for Android < 32 / 31.1 'file:' Protocol Directory Access	Nessus Network Monitor	Web Clients	low

Detections

Analytics

CVE-2014-1566

medium

Tenable Plugins

critical

low