CVE-2015-0802
published 2015-04-01CVE-2015-0802: Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow…
PriorityP353medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
67.47%
99.2th percentile
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| mozilla | firefox | <= 36.0.4 | — |
| mozilla | firefox | >= 0 < 37.0+build2-0ubuntu0.14.04.1 | 37.0+build2-0ubuntu0.14.04.1 |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets Firefox versions 35–36 specifically; browser UA version checks between 35 and 36 are a key fingerprint used by the exploit delivery logic. ↗
- →Exploit requires user click interaction to trigger; monitor for suspicious iframe injection of data:application/pdf and data:application/xml URIs combined with PDF.js loading in Firefox 35–36. ↗
- →Exploit abuses resource:// URIs for privilege escalation via PDF.js; monitor for resource:// URI access originating from web content contexts in Firefox. ↗
- →Exploit uses messageManager.loadFrameScript with a data: URI to inject privileged JavaScript into the chrome window; detect calls to loadFrameScript with data: scheme arguments from unprivileged content. ↗
- →Exploit navigates a privileged chrome:// window to attacker-controlled content to escalate privileges; monitor for navigation of chrome:// windows to non-chrome origins. ↗
- →Exploit uses view-source: scheme combined with object element data attribute manipulation as part of sandbox context acquisition; monitor for object elements switching from data:application/pdf to view-source: URIs. ↗
- →Exploit uses setInterval polling (every 20ms) to detect sandboxContext availability before launching chrome:// navigation; this tight polling loop on window properties may be detectable via browser instrumentation. ↗
- →CVE-2015-0802 is chained with CVE-2015-0816 (PDF.js can load chrome:// URIs); detections should consider both CVEs together when triaging Firefox 35–36 exploitation attempts. ↗
- ·CVE-2015-0802 alone does not enable privilege escalation; it requires a separate flaw (such as CVE-2015-0816) to allow web content to obtain a reference to a privileged window before this vulnerability can be exploited. ↗
- ·Red Hat Enterprise Linux 5, 6, and 7 shipped versions of Firefox and Thunderbird are confirmed not affected by this CVE; detections targeting RHEL environments should be scoped accordingly. ↗
- ·The Metasploit module targets Firefox 35–36 for the combined CVE-2015-0816 + CVE-2015-0802 chain; Firefox 37+ is patched and the exploit's UA version gate will not fire against it. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2015-04-01·CVSS 7.5
CVE-2015-0801 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this
to bypass same-origin policy restrictions. (CVE-2015-0801)
Bobby Holley discovered that windows created to hold privileged UI content
retained access to privileged internal methods if navigated to
unprivileged content. An attacker could potentially exploit this in
combination with another flaw, in order to execute arbitrary script in a
privileged context. (CVE-2015-0802)
Several type confusion issues were discovered in Firefox. If a user were
tricke
Red Hat
Mozilla: Windows can retain access to privileged content on navigation to unprivileged pages (MFSA 2015-42)
vendor_redhat·2015-03-31·CVSS 5.0
CVE-2015-0802 [MEDIUM] CWE-250 Mozilla: Windows can retain access to privileged content on navigation to unprivileged pages (MFSA 2015-42)
Mozilla: Windows can retain access to privileged content on navigation to unprivileged pages (MFSA 2015-42)
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.
Statement: This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Package: firefox (Red Hat Enterprise Linux 5) - Not affected
Package: thunderbird (Red Hat Enterprise Linux 5) - Not affected
Package: firefox (Red Hat Enterprise Linu
GHSA
GHSA-gjrg-r3r9-354j: Mozilla Firefox before 37
ghsa_unreviewed·2022-05-14
CVE-2015-0802 [MEDIUM] GHSA-gjrg-r3r9-354j: Mozilla Firefox before 37
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.
OSV
CVE-2015-0802: Mozilla Firefox before 37
osv·2015-04-01·CVSS 5.0
CVE-2015-0802 [MEDIUM] CVE-2015-0802: Mozilla Firefox before 37
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.
OSV
firefox vulnerabilities
osv·2015-04-01·CVSS 7.5
CVE-2015-0801 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Olli Pettay and Boris Zbarsky discovered an issue during anchor
navigations in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this
to bypass same-origin policy restrictions. (CVE-2015-0801)
Bobby Holley discovered that windows created to hold privileged UI content
retained access to privileged internal methods if navigated to
unprivileged content. An attacker could potentially exploit this in
combination with another flaw, in order to execute arbitrary script in a
privileged context. (CVE-2015-0802)
Several type confusion issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of se
No detection rules found.
Exploit-DB
Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)
exploitdb·2015-08-24·CVSS 5.0
CVE-2015-0816 [MEDIUM] Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)
Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Firefox PDF.js Privileged Javascript Injection',
'Description' => %q{
This module gains remote code execution on Firefox 35-36 by abusing a
privilege escalation bug in resource:// URIs. PDF.js is used to exploit
the bug. This exploit requires the user to click anywhere on the page to
trigger the vulnerability.
},
'Author' => [
'Unknown', # PDF.js injection code was taken from a 0day
'Marius Mlynski', # discovery and pwn2own exploit
'joev' # copypasta monkey, CVE-2015-0802
],
'DisclosureDate' => "Mar 31 2015",
'License' => MSF_LICENSE,
'Ref
Metasploit
Firefox Proxy Prototype Privileged Javascript Injection
metasploit
Firefox Proxy Prototype Privileged Javascript Injection
Firefox Proxy Prototype Privileged Javascript Injection
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
Metasploit
Firefox PDF.js Privileged Javascript Injection
metasploit
Firefox PDF.js Privileged Javascript Injection
Firefox PDF.js Privileged Javascript Injection
This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.htmlhttp://www.mozilla.org/security/announce/2015/mfsa2015-42.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securitytracker.com/id/1031996http://www.ubuntu.com/usn/USN-2550-1https://bugzilla.mozilla.org/show_bug.cgi?id=1124898https://security.gentoo.org/glsa/201512-10https://www.exploit-db.com/exploits/37958/http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.htmlhttp://www.mozilla.org/security/announce/2015/mfsa2015-42.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.securitytracker.com/id/1031996http://www.ubuntu.com/usn/USN-2550-1https://bugzilla.mozilla.org/show_bug.cgi?id=1124898https://security.gentoo.org/glsa/201512-10https://www.exploit-db.com/exploits/37958/
2015-04-01
Published