Mozilla Firefox up to 40.0.2 Add-on Installation privilege escalation : 8/28/2015 10:58:01 AM

App Marketing Basics This eBook shows you how common web marketing tactics map to their mobile counterparts, including a "this = that" chart of web to app equivalents. From our sponsors

 

 

Vulnerability Advisories

Vulnerabilities of scip VulDB

Mozilla Firefox up to 40.0.2 Add-on Installation privilege escalation
8/26/2015 7:00:00 PM

General

scipID: 77469
Affected: Mozilla Firefox up to 40.0.2
Published: 08/27/2015 (Bas Venis)
Risk: critical

Created: 08/28/2015
Entry: 75% complete

Summary

A vulnerability was found in Mozilla Firefox up to 40.0.2. It has been classified as critical. This affects an unknown function of the component Add-on Installation. The manipulation with an unknown input leads to a privilege escalation vulnerability. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was shared 08/27/2015 by Bas Venis as MFSA 2015-95 as confirmed security advisory (Website). The advisory is shared for download at mozilla.org. This vulnerability is uniquely identified as CVE-2015-4498. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available.

Upgrading to version 40.0.3 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability is also documented in the databases at X-Force (105898) and SecurityTracker (ID 1033396).

CVSS

Base Score: 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) [?]
Temp Score: 5.0 (CVSS2#E:U/RL:OF/RC:C) [?]

CPE

• cpe:/a:mozilla:firefox:40.0.0
• cpe:/a:mozilla:firefox:40.0.1
• cpe:/a:mozilla:firefox:40.0.2

Exploiting

Class: Privilege escalation
Local: No
Remote: Yes

Availability: No
Status: Unproven

Countermeasures

Recommended: Upgrade
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known

Upgrade: Firefox 40.0.3

Timeline

08/27/2015 | Advisory disclosed
08/27/2015 | Countermeasure disclosed
08/27/2015 | SecurityTracker entry created
08/28/2015 | VulDB entry created
08/28/2015 | VulDB entry updated

Sources

Advisory: MFSA 2015-95
Researcher: Bas Venis
Status: Confirmed

CVE: CVE-2015-4498 (mitre.org) (nvd.nist.org) (cvedetails.com)

X-Force: 105898 – Mozilla Firefox add-ons security bypass
SecurityTracker: 1033396 – Mozilla Firefox Lets Remote Users Bypass the Add-on Installation Prompt on the Target System

 

You are receiving this email because you subscribed to this feed at feedmyinbox.com

If you no longer wish to receive these emails, you can unsubscribe from this feed, or manage all your subscriptions