CVE-2015-0807

Published: Apr 1, 2015Modified: May 6, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638.

Affected (14)

Products: Mozilla: Firefox, Firefox Esr, Thunderbird

3 products

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Up to 36.0.4
Mozilla Firefox	Version 31.0
Mozilla Firefox	Version 31.1.0
Mozilla Firefox	Version 31.1.1
Mozilla Firefox	Version 31.3.0
Mozilla Firefox	Version 31.5.1
Mozilla Firefox	Version 31.5.2
Mozilla Firefox	Version 31.5.3
Mozilla Firefox Esr	Version 31.1
Mozilla Firefox Esr	Version 31.2
Mozilla Firefox Esr	Version 31.3
Mozilla Firefox Esr	Version 31.4
Mozilla Firefox Esr	Version 31.5
Mozilla Thunderbird	Up to 31.5

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (34)

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2015-0766.html

Source: security@mozilla.org

http://rhn.redhat.com/errata/RHSA-2015-0771.html

Source: security@mozilla.org

http://www.debian.org/security/2015/dsa-3211

Source: security@mozilla.org

http://www.debian.org/security/2015/dsa-3212

Source: security@mozilla.org

http://www.mozilla.org/security/announce/2015/mfsa2015-37.html

Source: security@mozilla.org

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Source: security@mozilla.org

http://www.securityfocus.com/bid/73457

Source: security@mozilla.org

http://www.securitytracker.com/id/1031996

Source: security@mozilla.org

http://www.securitytracker.com/id/1032000

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2550-1

Source: security@mozilla.org

http://www.ubuntu.com/usn/USN-2552-1

Source: security@mozilla.org

https://bugzilla.mozilla.org/show_bug.cgi?id=1111834

Source: security@mozilla.org

https://security.gentoo.org/glsa/201512-10

Source: security@mozilla.org

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00003.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00006.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00012.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2015-0766.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2015-0771.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2015/dsa-3211

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2015/dsa-3212

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mozilla.org/security/announce/2015/mfsa2015-37.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/73457

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securitytracker.com/id/1031996

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securitytracker.com/id/1032000

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-2550-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-2552-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.mozilla.org/show_bug.cgi?id=1111834

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201512-10

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.