CVE-2014-1486

high-risk

Published 2014-02-06

Use-after-free vulnerability in the imgRequestProxy function in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving unspecified Content-Type values for image data.

Do I need to act?

10.8% chance of exploitation in next 30 days

EPSS score — higher than 89% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Firefox

Seamonkey

Thunderbird

Suse Linux Enterprise Software Development Kit

Opensuse

Suse Linux Enterprise Desktop

Suse Linux Enterprise Server

Debian Linux

Ubuntu Linux

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Tus

Enterprise Linux Workstation

Fedora

Opensuse

Affected Vendors

Canonical Opensuse Debian Redhat Mozilla Suse Fedoraproject

References (66)

Broken Link http://download.novell.com/Download?buildid=VYQsgaFpQ2k

Broken Link http://download.novell.com/Download?buildid=Y2fux-JW1Qc

Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.h...

Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.h...

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html

Broken Link http://osvdb.org/102872

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2014-0132.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2014-0133.html

Broken Link http://secunia.com/advisories/56706

Broken Link http://secunia.com/advisories/56761

Broken Link http://secunia.com/advisories/56763

Broken Link http://secunia.com/advisories/56767

Broken Link http://secunia.com/advisories/56787

Broken Link http://secunia.com/advisories/56858

Broken Link http://secunia.com/advisories/56888

Broken Link http://secunia.com/advisories/56922

Third Party Advisory http://www.debian.org/security/2014/dsa-2858

and 46 more references

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 11/34 · Low

Exposure 20/34 · Moderate