CVE-2014-8638

Published: Jan 14, 2015Modified: May 6, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.

Affected (8)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird, Seamonkey

4 products

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Version 31.0
Mozilla Firefox	Version 31.1.0
Mozilla Firefox	Version 31.1.1
Mozilla Firefox	Version 31.3.0
Mozilla Firefox Esr	Version 31.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Up to 31.3.0

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Up to 34.0.5

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Mozilla Seamonkey	Up to 2.31

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (78)

http://linux.oracle.com/errata/ELSA-2015-0046.html

Source: security@mozilla.org

http://linux.oracle.com/errata/ELSA-2015-0047.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2015-0046.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2015-0047.html

Source: security@mozilla.org

http://secunia.com/advisories/62237

Source: security@mozilla.org

http://secunia.com/advisories/62242

Source: security@mozilla.org

http://secunia.com/advisories/62250

Source: security@mozilla.org

http://secunia.com/advisories/62253

Source: security@mozilla.org

http://secunia.com/advisories/62259

Source: security@mozilla.org

http://secunia.com/advisories/62273

Source: security@mozilla.org

http://secunia.com/advisories/62274

Source: security@mozilla.org

http://secunia.com/advisories/62283

Source: security@mozilla.org

http://secunia.com/advisories/62293

Source: security@mozilla.org

http://secunia.com/advisories/62304

Source: security@mozilla.org

http://secunia.com/advisories/62313

Source: security@mozilla.org

http://secunia.com/advisories/62315

Source: security@mozilla.org

http://secunia.com/advisories/62316

Source: security@mozilla.org

http://secunia.com/advisories/62418

Source: security@mozilla.org

http://secunia.com/advisories/62446

Source: security@mozilla.org

http://secunia.com/advisories/62657

Source: security@mozilla.org

http://secunia.com/advisories/62790

Source: security@mozilla.org

http://www.debian.org/security/2015/dsa-3127

Source: security@mozilla.org

http://www.debian.org/security/2015/dsa-3132

Source: security@mozilla.org

http://www.mozilla.org/security/announce/2014/mfsa2015-03.html

Source: security@mozilla.org

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Source: security@mozilla.org

http://www.securityfocus.com/bid/72047

Source: security@mozilla.org

http://www.securitytracker.com/id/1031533

Source: security@mozilla.org

http://www.securitytracker.com/id/1031534

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2460-1

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=1080987

Source: security@mozilla.org

https://exchange.xforce.ibmcloud.com/vulnerabilities/99958

Source: security@mozilla.org

https://security.gentoo.org/glsa/201504-01

Source: security@mozilla.org

http://linux.oracle.com/errata/ELSA-2015-0046.html