Vulnerability Details : CVE-2014-1589
Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2014-1589
Probability of exploitation activity in the next 30 days: 0.64%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-1589
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
nvd@nist.gov |
CWE ids for CVE-2014-1589
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1589
-
http://www.mozilla.org/security/announce/2014/mfsa2014-84.html
XBL bindings accessible via improper CSS declarations — MozillaVendor Advisory
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1043787
1043787 - (CVE-2014-1589) Chrome level XBL bindings can be triggered from content
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016
-
https://security.gentoo.org/glsa/201504-01
Mozilla Products: Multiple vulnerabilities (GLSA 201504-01) — Gentoo security
Products affected by CVE-2014-1589
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*