Vulnerability Details : CVE-2014-8638
The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.
Vulnerability category: Cross-site request forgery (CSRF)
Products affected by CVE-2014-8638
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:31.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:31.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:31.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:31.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-8638
0.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-8638
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2014-8638
-
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-8638
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/99958
Mozilla Firefox, Thunderbird and SeaMonkey cross-site request forgery CVE-2014-8638 Vulnerability Report
-
http://secunia.com/advisories/62273
Sign in
-
http://secunia.com/advisories/62253
Sign in
-
http://linux.oracle.com/errata/ELSA-2015-0046.html
linux.oracle.com | ELSA-2015-0046
-
http://secunia.com/advisories/62250
Sign in
-
http://secunia.com/advisories/62293
Sign in
-
http://secunia.com/advisories/62304
Sign in
-
http://rhn.redhat.com/errata/RHSA-2015-0047.html
RHSA-2015:0047 - Security Advisory - Red Hat Customer Portal
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
Oracle Solaris Third Party Bulletin - April 2015
-
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html
[security-announce] SUSE-SU-2015:0171-1: important: Security update for
-
http://www.debian.org/security/2015/dsa-3127
Debian -- Security Information -- DSA-3127-1 iceweasel
-
http://secunia.com/advisories/62283
Sign in
-
http://secunia.com/advisories/62313
Sign in
-
http://www.ubuntu.com/usn/USN-2460-1
USN-2460-1: Thunderbird vulnerabilities | Ubuntu security notices
-
http://www.securitytracker.com/id/1031533
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Conduct Cross-Site Request Forgery Attacks, and Obtain Potentially Sensitive Information - SecurityTracker
-
http://rhn.redhat.com/errata/RHSA-2015-0046.html
RHSA-2015:0046 - Security Advisory - Red Hat Customer Portal
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1080987
1080987 - (CVE-2014-8638) navigator.sendBeacon() doesn't satisfy CORS specification
-
http://linux.oracle.com/errata/ELSA-2015-0047.html
linux.oracle.com | ELSA-2015-0047
-
http://secunia.com/advisories/62274
Sign in
-
https://security.gentoo.org/glsa/201504-01
Mozilla Products: Multiple vulnerabilities (GLSA 201504-01) — Gentoo security
-
http://secunia.com/advisories/62259
Sign in
-
http://secunia.com/advisories/62237
Sign in
-
http://www.debian.org/security/2015/dsa-3132
Debian -- Security Information -- DSA-3132-1 icedove
-
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
[security-announce] openSUSE-SU-2015:1266-1: important: Mozilla (Firefox
-
http://secunia.com/advisories/62446
Sign in
-
http://www.mozilla.org/security/announce/2014/mfsa2015-03.html
sendBeacon requests lack an Origin header — MozillaVendor Advisory
-
http://www.securitytracker.com/id/1031534
Mozilla Thunderbird Multiple Flaws Let Remote Users Execute Arbitrary Code, Conduct Cross-Site Request Forgery Attacks, and Conduct Session Fixation Attacks - SecurityTracker
-
http://secunia.com/advisories/62315
Sign in
-
http://secunia.com/advisories/62657
Sign in
-
http://secunia.com/advisories/62242
Sign in
-
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html
[security-announce] SUSE-SU-2015:0173-1: important: Security update for
-
http://secunia.com/advisories/62316
Sign in
-
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html
[security-announce] openSUSE-SU-2015:0192-1: important: Security update
-
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html
[security-announce] openSUSE-SU-2015:0077-1: important: Security update
-
http://secunia.com/advisories/62790
Sign in
-
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html
[security-announce] SUSE-SU-2015:0180-1: important: Security update for
-
http://www.securityfocus.com/bid/72047
Mozilla Firefox/Thunderbird/SeaMonkey sendBeacon Cross-Site Request Forgery Vulnerability
-
http://secunia.com/advisories/62418
Sign in
-
http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html
openSUSE-SU-2015:0133-1: moderate: Security update for MozillaThunderbir
Jump to