CVE-2015-0812 : Mozilla Firefox before 37.0 does not require an HTTPS session for lightweight theme add-on installations, which allows m

Mozilla Firefox before 37.0 does not require an HTTPS session for lightweight theme add-on installations, which allows man-in-the-middle attackers to bypass an intended user-confirmation requirement by deploying a crafted web site and conducting a DNS spoofing attack against a mozilla.org subdomain.

Published 2015-04-01 10:59:11

Updated 2018-10-30 16:27:36

Source Mozilla Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2015-0812

Probability of exploitation activity in the next 30 days: 0.21%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 58 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2015-0812

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2015-0812

CWE-17

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-0812

http://www.securitytracker.com/id/1031996

Mozilla Firefox Bugs Let Remote Users Execute Arbitrary Code, Bypass Security Restrictions, and Obtain Potentially Sensitive Information - SecurityTracker

CVEs referencing this url
https://security.gentoo.org/glsa/201512-10

Mozilla Products: Multiple vulnerabilities (GLSA 201512-10) — Gentoo security

CVEs referencing this url
http://www.mozilla.org/security/announce/2015/mfsa2015-32.html

Add-on lightweight theme installation approval bypassed through MITM attack — Mozilla
Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Oracle Solaris Bulletin - April 2016

CVEs referencing this url
http://www.ubuntu.com/usn/USN-2550-1

USN-2550-1: Firefox vulnerabilities | Ubuntu security notices

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html

[security-announce] openSUSE-SU-2015:0677-1: important: Security update

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1128126

1128126 - (CVE-2015-0812) Addon permissions exposed to man-in-the-middle attacks

Products affected by CVE-2015-0812

Mozilla » Firefox » Version: 36.0.4
cpe:2.3:a:mozilla:firefox:36.0.4:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.10
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.1
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2015-0812

Exploit prediction scoring system (EPSS) score for CVE-2015-0812

CVSS scores for CVE-2015-0812

CWE ids for CVE-2015-0812

References for CVE-2015-0812

Products affected by CVE-2015-0812