FKIE_CVE-2014-8638

Vulnerability from fkie_nvd - Published: 2015-01-14 11:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.
References
security@mozilla.orghttp://linux.oracle.com/errata/ELSA-2015-0046.html
security@mozilla.orghttp://linux.oracle.com/errata/ELSA-2015-0047.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
security@mozilla.orghttp://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html
security@mozilla.orghttp://rhn.redhat.com/errata/RHSA-2015-0046.html
security@mozilla.orghttp://rhn.redhat.com/errata/RHSA-2015-0047.html
security@mozilla.orghttp://secunia.com/advisories/62237
security@mozilla.orghttp://secunia.com/advisories/62242
security@mozilla.orghttp://secunia.com/advisories/62250
security@mozilla.orghttp://secunia.com/advisories/62253
security@mozilla.orghttp://secunia.com/advisories/62259
security@mozilla.orghttp://secunia.com/advisories/62273
security@mozilla.orghttp://secunia.com/advisories/62274
security@mozilla.orghttp://secunia.com/advisories/62283
security@mozilla.orghttp://secunia.com/advisories/62293
security@mozilla.orghttp://secunia.com/advisories/62304
security@mozilla.orghttp://secunia.com/advisories/62313
security@mozilla.orghttp://secunia.com/advisories/62315
security@mozilla.orghttp://secunia.com/advisories/62316
security@mozilla.orghttp://secunia.com/advisories/62418
security@mozilla.orghttp://secunia.com/advisories/62446
security@mozilla.orghttp://secunia.com/advisories/62657
security@mozilla.orghttp://secunia.com/advisories/62790
security@mozilla.orghttp://www.debian.org/security/2015/dsa-3127
security@mozilla.orghttp://www.debian.org/security/2015/dsa-3132
security@mozilla.orghttp://www.mozilla.org/security/announce/2014/mfsa2015-03.htmlVendor Advisory
security@mozilla.orghttp://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
security@mozilla.orghttp://www.securityfocus.com/bid/72047
security@mozilla.orghttp://www.securitytracker.com/id/1031533
security@mozilla.orghttp://www.securitytracker.com/id/1031534
security@mozilla.orghttp://www.ubuntu.com/usn/USN-2460-1
security@mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=1080987
security@mozilla.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/99958
security@mozilla.orghttps://security.gentoo.org/glsa/201504-01
af854a3a-2127-422b-91ae-364da2661108http://linux.oracle.com/errata/ELSA-2015-0046.html
af854a3a-2127-422b-91ae-364da2661108http://linux.oracle.com/errata/ELSA-2015-0047.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2015-0046.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2015-0047.html
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62237
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62242
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62250
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62253
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62259
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62273
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62274
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62283
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62293
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62304
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62313
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62315
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62316
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62418
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62446
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62657
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/62790
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2015/dsa-3127
af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2015/dsa-3132
af854a3a-2127-422b-91ae-364da2661108http://www.mozilla.org/security/announce/2014/mfsa2015-03.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/72047
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1031533
af854a3a-2127-422b-91ae-364da2661108http://www.securitytracker.com/id/1031534
af854a3a-2127-422b-91ae-364da2661108http://www.ubuntu.com/usn/USN-2460-1
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.mozilla.org/show_bug.cgi?id=1080987
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/99958
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/201504-01
Impacted products
Vendor Product Version
mozilla firefox 31.0
mozilla firefox 31.1.0
mozilla firefox 31.1.1
mozilla firefox 31.3.0
mozilla firefox_esr 31.2
mozilla thunderbird *
mozilla firefox *
mozilla seamonkey *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11F024A-A8B7-405B-8A13-4BF406FBDB22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:31.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "D81A3698-797C-4CD9-BB02-A9182E0A6E11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:31.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "84E8D7C7-B578-4623-9EA2-D13965DBE1F3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:31.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3E5D043-71F8-4A61-BEA4-176153E26FD6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:mozilla:firefox_esr:31.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "7DCA6959-24B7-4F86-BE25-0A8A7C1A3D13",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A6A581F-0EB4-4DA9-AE5E-1F982DBBDB16",
              "versionEndIncluding": "31.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "48BDA1BA-1A04-4CD5-850A-0AB5990DAEA1",
              "versionEndIncluding": "34.0.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1E929387-65C1-4D6E-976D-8DB6EEBDD58A",
              "versionEndIncluding": "2.31",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site."
    },
    {
      "lang": "es",
      "value": "La implementaci\u00f3n navigator.sendBeacon en Mozilla Firefox anterior a 35.0, Firefox ESR 31.x anterior a 31.4, Thunderbird anterior a 31.4, y SeaMonkey anterior a 2.32 omite la cabecera CORS Origin, lo que permite a atacantes remotos evadir las comprobaciones del control de acceso a CORS y realizar ataques de CSRF a trav\u00e9s de un sitio web manipulado."
    }
  ],
  "id": "CVE-2014-8638",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2015-01-14T11:59:07.163",
  "references": [
    {
      "source": "security@mozilla.org",
      "url": "http://linux.oracle.com/errata/ELSA-2015-0046.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://linux.oracle.com/errata/ELSA-2015-0047.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0046.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0047.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62237"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62242"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62250"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62253"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62259"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62273"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62274"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62283"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62293"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62304"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62313"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62315"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62316"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62418"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62446"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62657"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://secunia.com/advisories/62790"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.debian.org/security/2015/dsa-3127"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.debian.org/security/2015/dsa-3132"
    },
    {
      "source": "security@mozilla.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.mozilla.org/security/announce/2014/mfsa2015-03.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.securityfocus.com/bid/72047"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.securitytracker.com/id/1031533"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.securitytracker.com/id/1031534"
    },
    {
      "source": "security@mozilla.org",
      "url": "http://www.ubuntu.com/usn/USN-2460-1"
    },
    {
      "source": "security@mozilla.org",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1080987"
    },
    {
      "source": "security@mozilla.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99958"
    },
    {
      "source": "security@mozilla.org",
      "url": "https://security.gentoo.org/glsa/201504-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://linux.oracle.com/errata/ELSA-2015-0046.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://linux.oracle.com/errata/ELSA-2015-0047.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0046.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0047.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62237"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62242"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62250"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62253"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62259"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62273"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62274"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62283"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62293"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62304"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62313"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62315"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62316"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62418"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62446"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62657"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62790"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2015/dsa-3127"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2015/dsa-3132"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.mozilla.org/security/announce/2014/mfsa2015-03.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/72047"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1031533"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1031534"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2460-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1080987"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/99958"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.gentoo.org/glsa/201504-01"
    }
  ],
  "sourceIdentifier": "security@mozilla.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.