CVE-2015-4518
 
Severity Score
4.3
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The Reader View implementation in Mozilla Firefox before 42.0 has an improper whitelist, which makes it easier for remote attackers to bypass the Content Security Policy (CSP) protection mechanism and conduct cross-site scripting (XSS) attacks via vectors involving SVG animations and the about:reader URL.
La implementación Reader View en Mozilla Firefox en versiones anteriores a 42.0 tiene una lista blanca inadecuada, lo que hace que sea más fácil para atacantes remotos eludir el mecanismo de protección Content Security Policy (CSP) y realizar ataques cross-site scripting (XSS) a través de vectores involucrados con animaciones SVG y la URL about:reader.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2015-06-10 CVE Reserved
- 2015-11-05 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | X_refsource_confirm | |
http://www.securitytracker.com/id/1034069 | Vdb Entry | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1136692 | X_refsource_confirm | |
https://bugzilla.mozilla.org/show_bug.cgi?id=1182778 | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html | 2016-12-07 | |
http://www.mozilla.org/security/announce/2015/mfsa2015-118.html | 2016-12-07 | |
http://www.ubuntu.com/usn/USN-2785-1 | 2016-12-07 | |
https://security.gentoo.org/glsa/201512-10 | 2016-12-07 |