4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.5%
The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in
Mozilla Firefox before 40.0 does not implement the Content Security Policy
Level 2 exceptions for the blob, data, and filesystem URL schemes during
wildcard source-expression matching, which might make it easier for remote
attackers to conduct cross-site scripting (XSS) attacks by leveraging
unexpected policy-enforcement behavior.