Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2014-1583 | First vendor Publication | 2014-10-15 |
| Vendor | Cve | Last vendor Modification | 2016-12-22 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1583 |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:26899 | |||
| Oval ID: | oval:org.mitre.oval:def:26899 | ||
| Title: | RHSA-2014:1635: firefox security update (Critical) | ||
| Description: | Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2014-1574, CVE-2014-1578, CVE-2014-1581, CVE-2014-1576, CVE-2014-1577) A flaw was found in the Alarm API, which allows applications to schedule actions to be run in the future. A malicious web application could use this flaw to bypass cross-origin restrictions. (CVE-2014-1583) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Bobby Holley, Christian Holler, David Bolter, Byron Campen Jon Coppeard, Atte Kettunen, Holger Fuhrmannek, Abhishek Arya, regenrecht, and Boris Zbarsky as the original reporters of these issues. For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 31.2.0 ESR. You can find a link to the Mozilla advisories in the References section of this erratum. All Firefox users should upgrade to these updated packages, which contain Firefox version 31.2.0 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. | ||
| Family: | unix | Class: | patch |
| Reference(s): | RHSA-2014:1635-00 CESA-2014:1635 CVE-2014-1574 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 | Version: | 3 |
| Platform(s): | Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 CentOS Linux 7 | Product(s): | firefox xulrunner |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:26973 | |||
| Oval ID: | oval:org.mitre.oval:def:26973 | ||
| Title: | USN-2372-1 -- Firefox vulnerabilities | ||
| Description: | Bobby Holley, Christian Holler, David Bolter, Byron Campen, Jon Coppeard, Carsten Book, Martijn Wargers, Shih-Chiang Chien, Terrence Cole and Jeff Walden discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1574">CVE-2014-1574</a>, <a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1575">CVE-2014-1575</a>) Atte Kettunen discovered a buffer overflow during CSS manipulation. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1576">CVE-2014-1576</a>) Holger Fuhrmannek discovered an out-of-bounds read with Web Audio. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal sensitive information. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1577">CVE-2014-1577</a>) Abhishek Arya discovered an out-of-bounds write when buffering WebM video in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1578">CVE-2014-1578</a>) Michal Zalewski discovered that memory may not be correctly initialized when rendering a malformed GIF in to a canvas in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to steal sensitive information. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1580">CVE-2014-1580</a>) A use-after-free was discovered during text layout in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Firefox. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1581">CVE-2014-1581</a>) Patrick McManus and David Keeler discovered 2 issues that could result in certificate pinning being bypassed in some circumstances. An attacker with a fraudulent certificate could potentially exploit this conduct a man in the middle attack. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1582">CVE-2014-1582</a>, <a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1584">CVE-2014-1584</a>) Eric Shepherd and Jan-Ivar Bruaroey discovered issues with video sharing via WebRTC in iframes, where video continues to be shared after being stopped and navigating to a new site doesn't turn off the camera. An attacker could potentially exploit this to access the camera without the user being aware. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1585">CVE-2014-1585</a>, <a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1586">CVE-2014-1586</a>) Boris Zbarsky discovered that webapps could use the Alarm API to read the values of cross-origin references. If a user were tricked in to installing a specially crafter webapp, an attacker could potentially exploit this to bypass same-origin restrictions. (<a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2014-1583">CVE-2014-1583</a>) | ||
| Family: | unix | Class: | patch |
| Reference(s): | USN-2372-1 CVE-2014-1574 CVE-2014-1575 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1580 CVE-2014-1581 CVE-2014-1582 CVE-2014-1584 CVE-2014-1585 CVE-2014-1586 CVE-2014-1583 | Version: | 3 |
| Platform(s): | Ubuntu 14.04 Ubuntu 12.04 | Product(s): | firefox |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:27134 | |||
| Oval ID: | oval:org.mitre.oval:def:27134 | ||
| Title: | ELSA-2014-1635 -- firefox security update | ||
| Description: | firefox [31.2.0-3.0.1.el7_0] - Add firefox-oracle-default-prefs.js and remove the corresponding Red Hat one [31.2.0-3] - Update to 31.2.0 ESR - Fix for mozbz#1042889 [31.1.0-7] - Enable WebM on all arches xulrunner [31.2.0-1.0.1] - Replaced xulrunner-redhat-default-prefs.js with xulrunner-oracle-default-prefs.js - Removed XULRUNNER_VERSION from SOURCE21 [31.2.0-1] - Update to 31.2.0 [31.1.0-3] - move /sdk/bin to xulrunner libdir [31.1.0-2] - Sync preferences with Firefox package [31.1.0-1] - Update to 31.1.0 ESR [31.0-2] - Fix header wrapper for aarch64 [31.0-1] - Update to 31.0 ESR | ||
| Family: | unix | Class: | patch |
| Reference(s): | ELSA-2014-1635 CVE-2014-1574 CVE-2014-1576 CVE-2014-1577 CVE-2014-1578 CVE-2014-1581 CVE-2014-1583 | Version: | 4 |
| Platform(s): | Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 | Product(s): | firefox xulrunner xulrunner-devel |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2015-05-27 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1510-1.nasl - Type : ACT_GATHER_INFO |
| 2015-05-27 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1458-3.nasl - Type : ACT_GATHER_INFO |
| 2015-05-27 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1458-2.nasl - Type : ACT_GATHER_INFO |
| 2015-05-27 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1458-1.nasl - Type : ACT_GATHER_INFO |
| 2015-04-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201504-01.nasl - Type : ACT_GATHER_INFO |
| 2014-12-18 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-784.nasl - Type : ACT_GATHER_INFO |
| 2014-11-20 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox31-201411-141115.nasl - Type : ACT_GATHER_INFO |
| 2014-11-11 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox31-201411-141105.nasl - Type : ACT_GATHER_INFO |
| 2014-11-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20141015_firefox_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
| 2014-11-03 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14084.nasl - Type : ACT_GATHER_INFO |
| 2014-11-03 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-612.nasl - Type : ACT_GATHER_INFO |
| 2014-11-03 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-611.nasl - Type : ACT_GATHER_INFO |
| 2014-11-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3061.nasl - Type : ACT_GATHER_INFO |
| 2014-10-20 | Name : The remote Fedora host is missing a security update. File : fedora_2014-13042.nasl - Type : ACT_GATHER_INFO |
| 2014-10-20 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3050.nasl - Type : ACT_GATHER_INFO |
| 2014-10-16 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1635.nasl - Type : ACT_GATHER_INFO |
| 2014-10-16 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_9c1495ac8d8c4789a0f38ca6b476619c.nasl - Type : ACT_GATHER_INFO |
| 2014-10-16 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1635.nasl - Type : ACT_GATHER_INFO |
| 2014-10-15 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_31_2_esr.nasl - Type : ACT_GATHER_INFO |
| 2014-10-15 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2372-1.nasl - Type : ACT_GATHER_INFO |
| 2014-10-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1635.nasl - Type : ACT_GATHER_INFO |
| 2014-10-15 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_33.nasl - Type : ACT_GATHER_INFO |
| 2014-10-15 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_31_2_esr.nasl - Type : ACT_GATHER_INFO |
| 2014-10-15 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_33.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
| Date | Informations |
|---|---|
| 2024-02-10 01:24:24 |
|
| 2024-02-02 01:26:34 |
|
| 2024-02-01 12:07:52 |
|
| 2023-09-05 12:25:10 |
|
| 2023-09-05 01:07:46 |
|
| 2023-09-02 12:25:08 |
|
| 2023-09-02 01:07:53 |
|
| 2023-08-12 12:27:24 |
|
| 2023-08-12 01:07:23 |
|
| 2023-08-11 12:23:17 |
|
| 2023-08-11 01:07:34 |
|
| 2023-08-06 12:22:38 |
|
| 2023-08-06 01:07:21 |
|
| 2023-08-04 12:22:40 |
|
| 2023-08-04 01:07:25 |
|
| 2023-07-14 12:22:39 |
|
| 2023-07-14 01:07:24 |
|
| 2023-04-01 01:19:08 |
|
| 2023-03-29 01:24:33 |
|
| 2023-03-28 12:07:45 |
|
| 2022-10-11 12:20:26 |
|
| 2022-10-11 01:07:33 |
|
| 2021-05-04 12:30:02 |
|
| 2021-04-22 01:36:18 |
|
| 2020-10-14 01:10:50 |
|
| 2020-10-03 01:10:55 |
|
| 2020-05-29 01:09:59 |
|
| 2020-05-23 01:51:15 |
|
| 2020-05-23 00:40:02 |
|
| 2018-12-04 12:05:43 |
|
| 2018-01-18 12:05:59 |
|
| 2017-11-22 12:05:57 |
|
| 2016-12-22 09:23:38 |
|
| 2016-10-25 09:21:51 |
|
| 2016-06-28 22:36:21 |
|
| 2016-04-27 00:16:06 |
|
| 2015-05-28 13:27:48 |
|
| 2015-04-09 13:29:00 |
|
| 2014-12-19 13:24:30 |
|
| 2014-11-21 13:25:01 |
|
| 2014-11-19 09:23:14 |
|
| 2014-11-14 13:27:39 |
|
| 2014-11-12 13:27:09 |
|
| 2014-11-05 13:27:51 |
|
| 2014-11-04 13:27:28 |
|
| 2014-10-21 21:24:42 |
|
| 2014-10-20 13:24:55 |
|
| 2014-10-17 13:25:26 |
|
| 2014-10-16 13:25:18 |
|
| 2014-10-15 17:22:29 |
|
