Mozilla Firefox PDF Viewer Same-Origin Bypass Lets Remote Users Obtain Potentially Sensitive Information on the Target System
|
SecurityTracker Alert ID: 1033216 |
SecurityTracker URL: http://securitytracker.com/id/1033216
|
CVE Reference:
CVE-2015-4495
(Links to External Site)
|
Date: Aug 7 2015
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 39.0.3
|
Description:
A vulnerability was reported in Mozilla Firefox. A remote user can obtain files from the target user's system.
A remote user can create specially crafted content that, when loaded by the target user, will bypass same-origin policy and inject arbitrary JavaScript into the built-in PDF Viewer in the local file context and gain access to files on the target user's system with the privileges of the target user.
This vulnerability is being actively exploited.
Cody Crews reported this vulnerability.
|
Impact:
A remote user can obtain files on the target user's system.
|
Solution:
The vendor has issued a fix (39.0.3, ESR 38.1.1).
The vendor's advisory is available at:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
|
Vendor URL: www.mozilla.org/en-US/security/advisories/mfsa2015-78/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|