Mozilla Firefox prior to 37.0 does not require an HTTPS session for lightweight theme add-on installations, which allows man-in-the-middle malicious users to bypass an intended user-confirmation requirement by deploying a crafted web site and conducting a DNS spoofing attack against a mozilla.org subdomain.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mozilla firefox 36.0.4 |
||
opensuse opensuse 13.1 |
||
opensuse opensuse 13.2 |
||
canonical ubuntu linux 14.10 |
||
canonical ubuntu linux 12.04 |
||
canonical ubuntu linux 14.04 |