Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-8636

CWE-94 — Code Injection CWE-25011 documents10 sources

Severity

7.5HIGH

EPSS

83.6%

top 0.71%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Mozilla Firefox Mozilla Seamonkey

Timeline

PublishedJan 14

Latest updateMay 17

Description

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDmozilla/firefox34.0.5

▶NVDmozilla/seamonkey2.31

▶Ubuntufirefox< 35.0+build3-0ubuntu0.14.04.2

🔴Vulnerability Details

GHSA

GHSA-7xcg-82gw-cm6p: The XrayWrapper implementation in Mozilla Firefox before 35↗2022-05-17

▶

OSV

CVE-2014-8636: The XrayWrapper implementation in Mozilla Firefox before 35↗2015-01-14

▶

CVEList

CVE-2014-8636: The XrayWrapper implementation in Mozilla Firefox before 35↗2015-01-14

▶

OSV

firefox vulnerabilities↗2015-01-14

▶

VulnCheck

Mozilla Firefox Improper Control of Generation of Code ('Code Injection')↗2014

▶

💥Exploits & PoCs

Exploit-DB

Mozilla Firefox - Proxy Prototype Privileged JavaScript Injection (Metasploit)↗2015-03-24

▶

🔍Detection Rules

Suricata

ET WEB_CLIENT Firefox Proxy Prototype RCE Attempt (CVE-2014-8636)↗2015-03-26

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2015-01-14

▶

Red Hat

Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)↗2014-01-15

▶

💬Community

Bugzilla

CVE-2014-8636 Mozilla: XrayWrapper bypass through DOM objects (MFSA 2015-09)↗2015-01-12

▶