CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
94.8%
Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox or Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running it (CVE-2014-8634). It was found that the Beacon interface implementation in Firefox and Thunderbird did not follow the Cross-Origin Resource Sharing (CORS) specification. A web page containing malicious content could allow a remote attacker to conduct a Cross-Site Request Forgery (XSRF) attack (CVE-2014-8638). It was found that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read (CVE-2014-8639). Security researcher Mitchell Harper discovered a read-after-free in WebRTC due to the way tracks are handled. This results in a either a potentially exploitable crash or incorrect WebRTC behavior. Note that this issue only affects Firefox (CVE-2014-8641).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | firefox | < 31.4.0-1 | firefox-31.4.0-1.mga4 |
Mageia | 4 | noarch | firefox-l10n | < 31.4.0-1 | firefox-l10n-31.4.0-1.mga4 |
Mageia | 4 | noarch | thunderbird | < 31.4.0-1 | thunderbird-31.4.0-1.mga4 |
Mageia | 4 | noarch | thunderbird-l10n | < 31.4.0-1 | thunderbird-l10n-31.4.0-1.mga4 |
bugs.mageia.org/show_bug.cgi?id=15040
rhn.redhat.com/errata/RHSA-2015-0046.html
rhn.redhat.com/errata/RHSA-2015-0047.html
www.mozilla.org/en-US/security/advisories/mfsa2015-01/
www.mozilla.org/en-US/security/advisories/mfsa2015-03/
www.mozilla.org/en-US/security/advisories/mfsa2015-04/
www.mozilla.org/en-US/security/advisories/mfsa2015-06/
www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/