CVE-2015-0807

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638.

References

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

http://rhn.redhat.com/errata/RHSA-2015-0766.html

http://rhn.redhat.com/errata/RHSA-2015-0771.html

http://www.debian.org/security/2015/dsa-3211

http://www.debian.org/security/2015/dsa-3212

http://www.mozilla.org/security/announce/2015/mfsa2015-37.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.securityfocus.com/bid/73457

http://www.securitytracker.com/id/1031996

http://www.securitytracker.com/id/1032000

http://www.ubuntu.com/usn/USN-2550-1

http://www.ubuntu.com/usn/USN-2552-1

https://bugzilla.mozilla.org/show_bug.cgi?id=1111834

https://security.gentoo.org/glsa/201512-10

Details

Source: MITRE

Published: 2015-04-01

Updated: 2017-01-03

Type: CWE-352

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
701254Mozilla Firefox ESR < 31.6 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
87710GLSA-201512-10 : Mozilla Products: Multiple vulnerabilities (Bar Mitzvah) (Logjam)NessusGentoo Local Security Checks
critical
8745Mozilla Thunderbird < 31.6 Multiple VulnerabilitiesNessus Network MonitorSMTP Clients
high
8742Mozilla Firefox < 37.0 Multiple VulnerabilitiesNessus Network MonitorWeb Clients
high
82739SuSE 11.3 Security Update : Mozilla Firefox (SAT Patch Number 10571)NessusSuSE Local Security Checks
high
82651openSUSE Security Update : MozillaFirefox / MozillaThunderbird / mozilla-nspr (openSUSE-2015-290)NessusSuSE Local Security Checks
high
82565Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : thunderbird vulnerabilities (USN-2552-1)NessusUbuntu Local Security Checks
high
82538Debian DSA-3212-1 : icedove - security updateNessusDebian Local Security Checks
high
82524Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : firefox vulnerabilities (USN-2550-1)NessusUbuntu Local Security Checks
high
82522Scientific Linux Security Update : thunderbird on SL5.x, SL6.x, SL7.x i386/x86_64 (20150401)NessusScientific Linux Local Security Checks
high
82520Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20150401)NessusScientific Linux Local Security Checks
high
82519RHEL 5 / 6 / 7 : thunderbird (RHSA-2015:0771)NessusRed Hat Local Security Checks
high
82517Oracle Linux 6 / 7 : thunderbird (ELSA-2015-0771)NessusOracle Linux Local Security Checks
high
82512Debian DSA-3211-1 : iceweasel - security updateNessusDebian Local Security Checks
high
82510CentOS 5 / 7 : thunderbird (CESA-2015:0771)NessusCentOS Local Security Checks
high
82504Mozilla Thunderbird < 31.6 Multiple VulnerabilitiesNessusWindows
high
82503Firefox < 37.0 Multiple VulnerabilitiesNessusWindows
high
82502Firefox ESR 31.x < 31.6 Multiple VulnerabilitiesNessusWindows
high
82501Mozilla Thunderbird < 31.6 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
high
82500Firefox < 37.0 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
high
82499Firefox ESR 31.x < 31.6 Multiple Vulnerabilities (Mac OS X)NessusMacOS X Local Security Checks
high
82495RHEL 5 / 6 / 7 : firefox (RHSA-2015:0766)NessusRed Hat Local Security Checks
high
82488Oracle Linux 5 / 6 / 7 : firefox (ELSA-2015-0766)NessusOracle Linux Local Security Checks
high
82482FreeBSD : mozilla -- multiple vulnerabilities (d0c97697-df2c-4b8b-bff2-cec24dc35af8)NessusFreeBSD Local Security Checks
high
82477CentOS 5 / 6 / 7 : firefox / xulrunner (CESA-2015:0766)NessusCentOS Local Security Checks
high