CVE-2015-0801

high

Description

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

References

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

http://rhn.redhat.com/errata/RHSA-2015-0766.html

http://rhn.redhat.com/errata/RHSA-2015-0771.html

http://www.debian.org/security/2015/dsa-3211

http://www.debian.org/security/2015/dsa-3212

http://www.mozilla.org/security/announce/2015/mfsa2015-40.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.securityfocus.com/bid/73455

http://www.securitytracker.com/id/1031996

http://www.securitytracker.com/id/1032000

http://www.ubuntu.com/usn/USN-2550-1

http://www.ubuntu.com/usn/USN-2552-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1146339

https://security.gentoo.org/glsa/201512-10

Details

Source: MITRE

Published: 2015-04-01

Updated: 2017-01-03

Type: CWE-264

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH