CVE-2015-0818
Mozilla Firefox SVG DOMAttrModified Same-Origin Policy Bypass Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation.
Mozilla Firefox anterior a 36.0.4, Firefox ESR 31.x anterior a 31.5.3, y SeaMonkey anterior a 2.33.1 permiten a atacantes remotos evadir Same Origin Policy y ejecutar código JavaScript arbitrario con privilegios chrome a través de vectores que involucran la navegación por hashes de SVG.
This vulnerability allows remote attackers to bypass the same-origin policy on vulnerable installations of Mozilla Firefox. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of SVG format content navigation. By using a DOMAttrModified mutation event listener, an attacker can inject an arbitrary URL into the history, and cause Firefox to break the same-origin isolation policy.
A flaw was discovered in the implementation of typed array bounds checking in the Javascript just-in-time compilation. If a user were tricked in to opening a specially crafted website, an attacked could exploit this to execute arbitrary code with the privileges of the user invoking Firefox. Mariusz Mlynski discovered a flaw in the processing of SVG format content navigation. If a user were tricked in to opening a specially crafted website, an attacker could exploit this to run arbitrary script in a privileged context. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-01-07 CVE Reserved
- 2015-03-23 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html | X_refsource_confirm |
|
| http://www.securityfocus.com/bid/73265 | Vdb Entry | |
| http://www.securitytracker.com/id/1031959 | Vdb Entry | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=1144988 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mozilla Search vendor "Mozilla" | Firefox Search vendor "Mozilla" for product "Firefox" | <= 36.0.3 Search vendor "Mozilla" for product "Firefox" and version " <= 36.0.3" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.1 Search vendor "Mozilla" for product "Firefox Esr" and version "31.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.1.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.1.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.1.1 Search vendor "Mozilla" for product "Firefox Esr" and version "31.1.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.2 Search vendor "Mozilla" for product "Firefox Esr" and version "31.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.3 Search vendor "Mozilla" for product "Firefox Esr" and version "31.3" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.3.0 Search vendor "Mozilla" for product "Firefox Esr" and version "31.3.0" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.4 Search vendor "Mozilla" for product "Firefox Esr" and version "31.4" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.5 Search vendor "Mozilla" for product "Firefox Esr" and version "31.5" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.5.1 Search vendor "Mozilla" for product "Firefox Esr" and version "31.5.1" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Firefox Esr Search vendor "Mozilla" for product "Firefox Esr" | 31.5.2 Search vendor "Mozilla" for product "Firefox Esr" and version "31.5.2" | - |
Affected
| ||||||
| Mozilla Search vendor "Mozilla" | Seamonkey Search vendor "Mozilla" for product "Seamonkey" | <= 2.33.0 Search vendor "Mozilla" for product "Seamonkey" and version " <= 2.33.0" | - |
Affected
| ||||||