The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Max CVSS
6.8
EPSS Score
1.09%
Published
2015-10-18
Updated
2016-12-24
Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism via a crafted web site.
Max CVSS
2.6
EPSS Score
0.39%
Published
2015-02-25
Updated
2018-10-30
2 vulnerabilities found