Vulnerability Description
The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 41.0.1 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-115.htmlVendor Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/77100
- http://www.securitytracker.com/id/1033820
- http://www.ubuntu.com/usn/USN-2768-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
- https://bugzilla.mozilla.org/show_bug.cgi?id=1212669
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-115.htmlVendor Advisory
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/77100
- http://www.securitytracker.com/id/1033820
- http://www.ubuntu.com/usn/USN-2768-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
FAQ
What is CVE-2015-7184?
CVE-2015-7184 is a vulnerability with a CVSS score of 6.8 (MEDIUM). The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin req...
How severe is CVE-2015-7184?
CVE-2015-7184 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-7184?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.