CVE-2014-1479

high-risk

Published 2014-02-06

The System Only Wrapper (SOW) implementation in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent certain cloning operations, which allows remote attackers to bypass intended restrictions on XUL content via vectors involving XBL content scopes.

Do I need to act?

1.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Firefox

Seamonkey

Thunderbird

Ubuntu Linux

Debian Linux

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Server Tus

Enterprise Linux Workstation

Suse Linux Enterprise Software Development Kit

Opensuse

Suse Linux Enterprise Desktop

Suse Linux Enterprise Server

Ubuntu Linux

Enterprise Linux Desktop

Affected Vendors

Fedoraproject Suse Opensuse Debian Canonical Redhat Mozilla

References (66)

Broken Link http://download.novell.com/Download?buildid=VYQsgaFpQ2k

Broken Link http://download.novell.com/Download?buildid=Y2fux-JW1Qc

Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.h...

Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.h...

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html

Broken Link http://osvdb.org/102866

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2014-0132.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2014-0133.html

Broken Link http://secunia.com/advisories/56706

Broken Link http://secunia.com/advisories/56761

Broken Link http://secunia.com/advisories/56763

Broken Link http://secunia.com/advisories/56767

Broken Link http://secunia.com/advisories/56787

Broken Link http://secunia.com/advisories/56858

Broken Link http://secunia.com/advisories/56888

Broken Link http://secunia.com/advisories/56922

Third Party Advisory http://www.debian.org/security/2014/dsa-2858

and 46 more references

/ 100

high-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 21/34 · High