CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
80.5%
The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm.
Vendor | Product | Version | CPE |
---|---|---|---|
mozilla | firefox | * | cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* |
mozilla | firefox | 30.0 | cpe:2.3:a:mozilla:firefox:30.0:*:*:*:*:*:*:* |
mozilla | firefox | 31.0 | cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:* |
mozilla | firefox | 31.1.0 | cpe:2.3:a:mozilla:firefox:31.1.0:*:*:*:*:*:*:* |
mozilla | firefox_esr | 31.0 | cpe:2.3:a:mozilla:firefox_esr:31.0:*:*:*:*:*:*:* |
mozilla | firefox_esr | 31.1.0 | cpe:2.3:a:mozilla:firefox_esr:31.1.0:*:*:*:*:*:*:* |
lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html
lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html
lists.opensuse.org/opensuse-updates/2014-11/msg00001.html
lists.opensuse.org/opensuse-updates/2014-11/msg00002.html
rhn.redhat.com/errata/RHSA-2014-1635.html
secunia.com/advisories/61854
secunia.com/advisories/62022
secunia.com/advisories/62023
www.debian.org/security/2014/dsa-3050
www.mozilla.org/security/announce/2014/mfsa2014-82.html
www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
www.securityfocus.com/bid/70424
www.securitytracker.com/id/1031028
www.securitytracker.com/id/1031030
www.ubuntu.com/usn/USN-2372-1
advisories.mageia.org/MGASA-2014-0421.html
bugzilla.mozilla.org/show_bug.cgi?id=1015540
security.gentoo.org/glsa/201504-01