CVE-2015-4518 — Cross-site Scripting in Mozilla Firefox

CWE-79 — Cross-site Scripting7 documents6 sources

Severity

4.3MEDIUMNVD

OSV7.5

EPSS

1.1%

top 21.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedNov 5

Latest updateMay 17

Description

The Reader View implementation in Mozilla Firefox before 42.0 has an improper whitelist, which makes it easier for remote attackers to bypass the Content Security Policy (CSP) protection mechanism and conduct cross-site scripting (XSS) attacks via vectors involving SVG animations and the about:reader URL.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶Ubuntumozilla/firefox< 42.0+build2-0ubuntu0.14.04.1

▶NVDmozilla/firefox41.0.2

🔴Vulnerability Details

GHSA

GHSA-23c8-qcpq-5v6v: The Reader View implementation in Mozilla Firefox before 42↗2022-05-17

▶

OSV

firefox vulnerabilities↗2015-11-04

▶

OSV

CVE-2015-4518: The Reader View implementation in Mozilla Firefox before 42↗2015-11-04

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2015-11-04

▶

Red Hat

Mozilla: CSP bypass due to permissive Reader mode whitelist (MFSA 2015-118)↗2015-11-04

▶

💬Community

Bugzilla

CVE-2015-4518 Mozilla: CSP bypass due to permissive Reader mode whitelist (MFSA 2015-118)↗2015-11-03

▶