Mozilla Firefox for Android < 32 / 31.1 'file:' Protocol Directory Access

Low Nessus Network Monitor Plugin ID 8372

Synopsis

The remote Android host was detected using an outdated version of Mozilla Firefox.

Description

Versions of Mozilla Firefox older than 32 (or 31.1) contain an information disclosure vulnerability wherein a file: protocol hyperlink could link to a local file in the Firefox profile directory, bypassing access restrictions. This issue was only incompletely addressed by a previous version but has since been more fully patched.

Solution

Upgrade to Mozilla Firefox for Android, versions 32 or 31.1 or later, from the Google Play app store.

See Also

http://www.mozilla.org/security/announce

http://www.mozilla.org/security/announce/2014/mfsa2014-71.html

Plugin Details

Severity: Low

ID: 8372

Family: Web Clients

Published: 2014/09/02

Modified: 2018/09/16

Dependencies: 6534

Risk Information

Risk Factor: Low

CVSSv2

Base Score: 1.9

Temporal Score: 1.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 2.9

Temporal Score: 2.8

Vector: CVSS3#AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mozilla:firefox_mobile

Patch Publication Date: 2014/09/02

Vulnerability Publication Date: 2014/09/02

Reference Information

CVE: CVE-2014-1566, CVE-2014-1515

BID: 66393, 69522