CVE-2015-7187Cross-site Scripting in Mozilla Firefox

CWE-2547 documents6 sources
Severity
4.3MEDIUMNVD
OSV7.5
EPSS
0.5%
top 34.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox
Timeline
PublishedNov 5
Latest updateMay 17

Description

The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: false" panel setting, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via inline JavaScript code that is executed within a third-party extension.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

Ubuntumozilla/firefox< 42.0+build2-0ubuntu0.14.04.1
NVDmozilla/firefox41.0.2

🔴Vulnerability Details

3
GHSA
GHSA-7xcg-pmvr-6h7r: The Add-on SDK in Mozilla Firefox before 422022-05-17
OSV
firefox vulnerabilities2015-11-04
OSV
CVE-2015-7187: The Add-on SDK in Mozilla Firefox before 422015-11-04

📋Vendor Advisories

2
Ubuntu
Firefox vulnerabilities2015-11-04
Red Hat
Mozilla: disabling scripts in Add-on SDK panels has no effect (MFSA 2015-121)2015-11-04

💬Community

1
Bugzilla
CVE-2015-7187 Mozilla: disabling scripts in Add-on SDK panels has no effect (MFSA 2015-121)2015-11-03