CVE-2014-1590 : The XMLHttpRequest.prototype.send method in Mozilla Firefox before 34.0, Firefox

The XMLHttpRequest.prototype.send method in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 allows remote attackers to cause a denial of service (application crash) via a crafted JavaScript object.

Published 2014-12-11 11:59:04

Updated 2016-12-24 02:59:02

Source Mozilla Corporation

View at NVD, CVE.org

Vulnerability category: Input validationDenial of service

Products affected by CVE-2014-1590

Mozilla » Firefox
Versions up to, including, (<=) 33.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions up to, including, (<=) 31.2
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Seamonkey
Versions up to, including, (<=) 2.30
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr
Versions up to, including, (<=) 31.2
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-1590

EPSS FAQ

1.00%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-1590

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2014-1590

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-1590

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00024.html

[security-announce] openSUSE-SU-2015:0138-1: important: Firefox update t

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Oracle Solaris Third Party Bulletin - April 2015

CVEs referencing this url
http://www.securityfocus.com/bid/71397

Mozilla Firefox/Thunderbird CVE-2014-1590 Denial of Service Vulnerability
https://security.gentoo.org/glsa/201504-01

Mozilla Products: Multiple vulnerabilities (GLSA 201504-01) — Gentoo security

CVEs referencing this url
https://bugzilla.mozilla.org/show_bug.cgi?id=1087633

1087633 - (CVE-2014-1590) XMLHttpRequest.prototype.send crashes when given a crafted object
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

[security-announce] openSUSE-SU-2015:1266-1: important: Mozilla (Firefox

CVEs referencing this url
http://www.mozilla.org/security/announce/2014/mfsa2014-85.html

XMLHttpRequest crashes with some input streams — Mozilla
Vendor Advisory
http://www.debian.org/security/2014/dsa-3092

Debian -- Security Information -- DSA-3092-1 icedove

CVEs referencing this url
http://www.debian.org/security/2014/dsa-3090

Debian -- Security Information -- DSA-3090-1 iceweasel

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2014-1590

Products affected by CVE-2014-1590

Exploit prediction scoring system (EPSS) score for CVE-2014-1590

CVSS scores for CVE-2014-1590

CWE ids for CVE-2014-1590

References for CVE-2014-1590