Vulnerability Description
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opensuse | Opensuse | 13.1 |
| Canonical | Ubuntu Linux | 12.04 |
| Mozilla | Firefox | <= 36.0.4 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-42.htmlVendor Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securitytracker.com/id/1031996
- http://www.ubuntu.com/usn/USN-2550-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1124898
- https://security.gentoo.org/glsa/201512-10
- https://www.exploit-db.com/exploits/37958/
- http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-42.htmlVendor Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securitytracker.com/id/1031996
- http://www.ubuntu.com/usn/USN-2550-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1124898
- https://security.gentoo.org/glsa/201512-10
FAQ
What is CVE-2015-0802?
CVE-2015-0802 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScri...
How severe is CVE-2015-0802?
CVE-2015-0802 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-0802?
Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Opensuse, Canonical Ubuntu Linux, Mozilla Firefox.