4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
58.5%
Mozilla Firefox before 37.0 does not require an HTTPS session for
lightweight theme add-on installations, which allows man-in-the-middle
attackers to bypass an intended user-confirmation requirement by deploying
a crafted web site and conducting a DNS spoofing attack against a
mozilla.org subdomain.