Vulnerability Description
The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opensuse | Opensuse | 11.4 |
| Suse | Linux Enterprise Desktop | 11 |
| Suse | Linux Enterprise Server | 11 |
| Suse | Linux Enterprise Software Development Kit | 11 |
| Oracle | Solaris | 11.3 |
| Canonical | Ubuntu Linux | 12.04 |
| Mozilla | Firefox | < 27.0 |
| Mozilla | Seamonkey | < 2.24 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.htmlMailing ListThird Party Advisory
- http://osvdb.org/102867Broken Link
- http://secunia.com/advisories/56888Broken Link
- http://www.mozilla.org/security/announce/2014/mfsa2014-03.htmlVendor Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
- http://www.securityfocus.com/bid/65331Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1029717Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1029720Third Party AdvisoryVDB Entry
- http://www.ubuntu.com/usn/USN-2102-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2102-2Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=916726Issue TrackingVendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90897Third Party AdvisoryVDB Entry
- https://security.gentoo.org/glsa/201504-01Third Party Advisory
FAQ
What is CVE-2014-1480?
CVE-2014-1480 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjack...
How severe is CVE-2014-1480?
CVE-2014-1480 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-1480?
Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Opensuse, Suse Linux Enterprise Desktop, Suse Linux Enterprise Server, Suse Linux Enterprise Software Development Kit, Oracle Solaris.