CVE-2014-8638

CWE-352 — Cross-Site Request Forgery (CSRF)10 documents7 sources

Severity

6.8MEDIUM

EPSS

0.5%

top 34.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Seamonkey Mozilla Thunderbird +1 more

Timeline

PublishedJan 14

Latest updateMay 17

Description

The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages6 packages

▶NVDmozilla/firefox34.0.5+4

▶NVDmozilla/firefox_esr31.2

▶Ubuntufirefox< 35.0+build3-0ubuntu0.14.04.2

▶NVDmozilla/seamonkey2.31

▶NVDmozilla/thunderbird31.3.0

🔴Vulnerability Details

GHSA

GHSA-38xr-6jm2-v69w: The navigator↗2022-05-17

▶

OSV

thunderbird vulnerabilities↗2015-01-19

▶

CVEList

CVE-2014-8638: The navigator↗2015-01-14

▶

OSV

CVE-2014-8638: The navigator↗2015-01-14

▶

📋Vendor Advisories

Red Hat

Mozilla: CORS requests should not follow 30x redirections after preflight (MFSA 2015-37)↗2015-03-31

▶

Ubuntu

Thunderbird vulnerabilities↗2015-01-19

▶

Ubuntu

Firefox vulnerabilities↗2015-01-14

▶

Red Hat

Mozilla: sendBeacon requests lack an Origin header (MFSA 2015-03)↗2015-01-13

▶

💬Community

Bugzilla

CVE-2014-8638 Mozilla: sendBeacon requests lack an Origin header (MFSA 2015-03)↗2015-01-12

▶