CVE-2015-4478 — Sensitive Information Exposure in Mozilla Firefox

CWE-200 — Sensitive Information Exposure11 documents6 sources

Severity

5.0MEDIUMNVD

OSV10.0

EPSS

0.7%

top 28.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Canonical Ubuntu Linux Opensuse

Timeline

PublishedAug 16

Latest updateMay 14

Description

Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 do not impose certain ECMAScript 6 requirements on JavaScript object properties, which allows remote attackers to bypass the Same Origin Policy via the reviver parameter to the JSON.parse method.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶Ubuntumozilla/firefox< 40.0+build4-0ubuntu0.14.04.1+1

▶NVDmozilla/firefox39.0.3+4

▶NVDopensuse/opensuse13.1, 13.2+1

Also affects: Ubuntu Linux 12.04, 14.04, 15.04

🔴Vulnerability Details

GHSA

GHSA-m7fr-3m5q-g72f: Mozilla Firefox before 40↗2022-05-14

▶

OSV

firefox regression↗2015-08-20

▶

OSV

firefox vulnerabilities↗2015-08-11

▶

OSV

CVE-2015-4478: Mozilla Firefox before 40↗2015-08-11

▶

OSV

ubufox update↗2015-08-11

▶

📋Vendor Advisories

Ubuntu

Firefox regression↗2015-08-20

▶

Ubuntu

Firefox vulnerabilities↗2015-08-11

▶

Ubuntu

Ubufox update↗2015-08-11

▶

Red Hat

Mozilla: Redefinition of non-configurable JavaScript object properties (MFSA 2015-82)↗2015-08-11

▶

💬Community

Bugzilla

CVE-2015-4478 Mozilla: Redefinition of non-configurable JavaScript object properties (MFSA 2015-82)↗2015-08-11

▶