CVE-2014-1485 — Mozilla Firefox vulnerability

6 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 23.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Canonical Ubuntu Linux +5 more

Timeline

PublishedFeb 6

Latest updateMay 13

Description

The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages7 packages

▶NVDmozilla/firefox< 27.0

▶NVDmozilla/seamonkey< 2.24

▶NVDoracle/solaris11.3

▶NVDopensuse/opensuse11.4, 12.3, 13.1+2

▶NVDsuse/linux_enterprise_server11

Also affects: Ubuntu Linux 12.04, 12.10, 13.10

🔴Vulnerability Details

GHSA

GHSA-4mw4-24vq-q626: The Content Security Policy (CSP) implementation in Mozilla Firefox before 27↗2022-05-13

▶

CVEList

CVE-2014-1485: The Content Security Policy (CSP) implementation in Mozilla Firefox before 27↗2014-02-06

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2014-02-10

▶

Red Hat

Mozilla: XSLT stylesheets treated as styles in Content Security Policy (MFSA 2014-07)↗2014-02-04

▶

💬Community

Bugzilla

CVE-2014-1485 Mozilla: XSLT stylesheets treated as styles in Content Security Policy (MFSA 2014-07)↗2014-02-04

▶