Published: 13/02/2016 Updated: 06/12/2016

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Mozilla Firefox prior to 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote malicious users to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla firefox

A same-origin-policy bypass was discovered in Firefox ...

Mozilla Foundation Security Advisory 2016-13 Same-origin-policy violation using Service Workers with plugins Announced February 11, 2016 Reporter Jason Pang Impact Critical Products Firefox Fixed in ...

Mozilla Firefox before 4402 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomainxml file ...

CWE-264 http://www.mozilla.org/security/announce/2016/mfsa2016-13.html https://bugzilla.mozilla.org/show_bug.cgi?id=1245724 https://security.gentoo.org/glsa/201605-06 http://lists.opensuse.org/opensuse-updates/2016-02/msg00102.html http://www.ubuntu.com/usn/USN-2893-1 http://www.securitytracker.com/id/1035007 http://lists.opensuse.org/opensuse-updates/2016-02/msg00142.html https://usn.ubuntu.com/2893-1/https://nvd.nist.gov

CVE-2016-1949

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect