Vulnerability Details : CVE-2014-1594

Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before 2.31 might allow remote attackers to execute arbitrary code by leveraging an incorrect cast from the BasicThebesLayer data type to the BasicContainerLayer data type.

Vulnerability category: Input validationExecute code

Published 2014-12-11 11:59:08

Updated 2016-12-24 02:59:02

Source Mozilla Corporation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2014-1594

Probability of exploitation activity in the next 30 days: 5.71%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 93 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-1594

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2014-1594

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-1594

http://www.mozilla.org/security/announce/2014/mfsa2014-89.html

Bad casting from the BasicThebesLayer to BasicContainerLayer — Mozilla
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00024.html

[security-announce] openSUSE-SU-2015:0138-1: important: Firefox update t

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Oracle Solaris Third Party Bulletin - April 2015

CVEs referencing this url
http://www.securityfocus.com/bid/71396

Mozilla Firefox/Thunderbird CVE-2014-1594 Security Vulnerability
https://bugzilla.mozilla.org/show_bug.cgi?id=1074280

1074280 - (CVE-2014-1594) Bad casting: From BasicThebesLayer to BasicContainerLayer
https://security.gentoo.org/glsa/201504-01

Mozilla Products: Multiple vulnerabilities (GLSA 201504-01) — Gentoo security

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

[security-announce] openSUSE-SU-2015:1266-1: important: Mozilla (Firefox

CVEs referencing this url
http://www.debian.org/security/2014/dsa-3092

Debian -- Security Information -- DSA-3092-1 icedove

CVEs referencing this url
http://www.debian.org/security/2014/dsa-3090

Debian -- Security Information -- DSA-3090-1 iceweasel

CVEs referencing this url

Products affected by CVE-2014-1594

Mozilla » Firefox
Versions up to, including, (<=) 33.0
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Thunderbird
Versions up to, including, (<=) 31.2
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Seamonkey
Versions up to, including, (<=) 2.30
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
Matching versions
Mozilla » Firefox Esr
Versions up to, including, (<=) 31.2
cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Matching versions