CVE-2015-7184 — Improper Access Control in Mozilla Firefox

CWE-284 — Improper Access Control CWE-358 — Improperly Implemented Security Check for Standard9 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

0.2%

top 52.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox

Timeline

PublishedOct 18

Latest updateMay 17

Description

The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶Ubuntumozilla/firefox< 41.0.2+build2-0ubuntu0.14.04.1

▶NVDmozilla/firefox41.0.1

🔴Vulnerability Details

GHSA

GHSA-xj5m-432r-gpqm: The fetch API implementation in Mozilla Firefox before 41↗2022-05-17

▶

OSV

CVE-2015-7184: The fetch API implementation in Mozilla Firefox before 41↗2015-10-18

▶

OSV

firefox vulnerability↗2015-10-16

▶

📋Vendor Advisories

Red Hat

ntp: Interleaved symmetric mode cannot recover from bad state↗2018-02-27

▶

Ubuntu

Firefox vulnerability↗2015-10-16

▶

Red Hat

firefox: cross-origin restriction bypass using Fetch↗2015-10-15

▶

💬Community

Bugzilla

CVE-2015-7184 firefox: cross-origin restriction bypass using Fetch↗2015-10-16

▶

Bugzilla

Cross-Origin restriction bypass with fetch using 302 redirection↗2015-09-25

▶