CVE-2014-8638

medium

Description

The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.

References

http://linux.oracle.com/errata/ELSA-2015-0046.html

http://linux.oracle.com/errata/ELSA-2015-0047.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html

http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html

http://rhn.redhat.com/errata/RHSA-2015-0046.html

http://rhn.redhat.com/errata/RHSA-2015-0047.html

http://secunia.com/advisories/62237

http://secunia.com/advisories/62242

http://secunia.com/advisories/62250

http://secunia.com/advisories/62253

http://secunia.com/advisories/62259

http://secunia.com/advisories/62273

http://secunia.com/advisories/62274

http://secunia.com/advisories/62283

http://secunia.com/advisories/62293

http://secunia.com/advisories/62304

http://secunia.com/advisories/62313

http://secunia.com/advisories/62315

http://secunia.com/advisories/62316

http://secunia.com/advisories/62418

http://secunia.com/advisories/62446

http://secunia.com/advisories/62657

http://secunia.com/advisories/62790

http://www.debian.org/security/2015/dsa-3127

http://www.debian.org/security/2015/dsa-3132

http://www.mozilla.org/security/announce/2014/mfsa2015-03.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.securityfocus.com/bid/72047

http://www.securitytracker.com/id/1031533

http://www.securitytracker.com/id/1031534

http://www.ubuntu.com/usn/USN-2460-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1080987

https://exchange.xforce.ibmcloud.com/vulnerabilities/99958

https://security.gentoo.org/glsa/201504-01

Details

Source: MITRE

Published: 2015-01-14

Updated: 2017-09-08

Type: CWE-352

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM