CVE-2014-8638

high

Description

The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.

References

https://security.gentoo.org/glsa/201504-01

https://exchange.xforce.ibmcloud.com/vulnerabilities/99958

https://bugzilla.mozilla.org/show_bug.cgi?id=1080987

http://www.ubuntu.com/usn/USN-2460-1

http://www.securitytracker.com/id/1031534

http://www.securitytracker.com/id/1031533

http://www.securityfocus.com/bid/72047

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

http://www.mozilla.org/security/announce/2014/mfsa2015-03.html

http://www.debian.org/security/2015/dsa-3132

http://www.debian.org/security/2015/dsa-3127

http://secunia.com/advisories/62790

http://secunia.com/advisories/62657

http://secunia.com/advisories/62446

http://secunia.com/advisories/62418

http://secunia.com/advisories/62316

http://secunia.com/advisories/62315

http://secunia.com/advisories/62313

http://secunia.com/advisories/62304

http://secunia.com/advisories/62293

http://secunia.com/advisories/62283

http://secunia.com/advisories/62274

http://secunia.com/advisories/62273

http://secunia.com/advisories/62259

http://secunia.com/advisories/62253

http://secunia.com/advisories/62250

http://secunia.com/advisories/62242

http://secunia.com/advisories/62237

http://rhn.redhat.com/errata/RHSA-2015-0047.html

http://rhn.redhat.com/errata/RHSA-2015-0046.html

http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html

http://linux.oracle.com/errata/ELSA-2015-0047.html

http://linux.oracle.com/errata/ELSA-2015-0046.html

Details

Source: Mitre, NVD

Published: 2015-01-14

Updated: 2017-09-08

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High