Vulnerability Details : CVE-2015-7184
The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Vulnerability category: BypassGain privilege
Products affected by CVE-2015-7184
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-7184
1.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-7184
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2015-7184
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-7184
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016
-
http://www.mozilla.org/security/announce/2015/mfsa2015-115.html
Cross-origin restriction bypass using Fetch — MozillaVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html
[security-announce] openSUSE-SU-2015:1817-1: important: Security update
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1212669
1212669 - (CVE-2015-7184) released fetch() allows full access to body on credentialed cross-origin no-cors request redirected from same-origin to cross-origin URL
-
http://www.securitytracker.com/id/1033820
Mozilla Firefox fetch() API CORS Access Control Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker
-
http://www.securityfocus.com/bid/77100
Mozilla Firefox CVE-2015-7184 Cross-Origin Security Bypass Vulnerability
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
1208339 - Cross-Origin restriction bypass with fetch using 302 redirection
-
http://www.ubuntu.com/usn/USN-2768-1
USN-2768-1: Firefox vulnerability | Ubuntu security notices
Jump to