The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2014-1583 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (firefox) | RHSA-2014:1635 | 2014-10-15 |
| Red Hat Enterprise Linux 5 (firefox) | RHSA-2014:1635 | 2014-10-15 |
| Red Hat Enterprise Linux 7 (firefox) | RHSA-2014:1635 | 2014-10-15 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 6 | thunderbird | Not affected |
| Red Hat Enterprise Linux 5 | thunderbird | Not affected |
Vulmon