Vulnerability Name:

CVE-2014-1583

Assigned:2014-01-16
Published:2014-10-14
Updated:2016-12-21
Summary:The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
References:Source: FEDORA
Type: UNKNOWN
http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html

Source: FEDORA
Type: UNKNOWN
http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html

Source: SUSE
Type: UNKNOWN
http://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html

Source: SUSE
Type: UNKNOWN
http://lists.opensuse.org/opensuse-updates/2014-11/msg00002.html

Source: REDHAT
Type: UNKNOWN
http://rhn.redhat.com/errata/RHSA-2014-1635.html

Source: DEBIAN
Type: UNKNOWN
http://www.debian.org/security/2014/dsa-3050

Source: CONFIRM
Type: VENDOR_ADVISORY
http://www.mozilla.org/security/announce/2014/mfsa2014-82.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html

Source: BID
Type: UNKNOWN
70424

Source: SECTRACK
Type: UNKNOWN
1031028

Source: SECTRACK
Type: UNKNOWN
1031030

Source: UBUNTU
Type: UNKNOWN
http://www.ubuntu.com/usn/USN-2372-1

Source: CONFIRM
Type: UNKNOWN
https://advisories.mageia.org/MGASA-2014-0421.html

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.mozilla.org/show_bug.cgi?id=1015540

Source: GENTOO
Type: UNKNOWN
https://security.gentoo.org/glsa/201504-01

Vulnerable Configuration:Configuration 1:
  • cpe:/a:mozilla:firefox:32.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:31.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:31.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox:30.0:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:mozilla:firefox_esr:31.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:mozilla:firefox_esr:31.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20141583
    V
    CVE-2014-1583
    2017-09-24
    oval:org.mitre.oval:def:28150
    P
    SUSE-SU-2014:1510-1 -- Security update for MozillaFirefox and mozilla-nss (moderate)
    2015-03-16
    oval:org.mitre.oval:def:27600
    P
    SUSE-SU-2014:1458-3 -- Security update for MozillaFirefox (important)
    2015-01-26
    oval:org.mitre.oval:def:28321
    P
    SUSE-SU-2014:1385-1 -- Security update for MozillaFirefox (important)
    2015-01-26
    oval:org.mitre.oval:def:28218
    P
    SUSE-SU-2014:1458-1 -- Security update for MozillaFirefox (important)
    2015-01-26
    oval:org.mitre.oval:def:27515
    P
    SUSE-SU-2014:1458-2 -- Security update for MozillaFirefox (important)
    2015-01-26
    oval:org.mitre.oval:def:28285
    P
    DSA-3050-3 -- iceweasel security update
    2014-12-29
    oval:org.mitre.oval:def:27134
    P
    ELSA-2014-1635 -- firefox security update
    2014-12-08
    oval:org.mitre.oval:def:26973
    P
    USN-2372-1 -- Firefox vulnerabilities
    2014-11-24
    oval:org.mitre.oval:def:26899
    P
    RHSA-2014:1635: firefox security update (Critical)
    2014-11-24
    oval:com.redhat.rhsa:def:20141635
    P
    RHSA-2014:1635: firefox security update (Critical)
    2014-10-15
    oval:com.ubuntu.precise:def:20141583000
    V
    CVE-2014-1583 on Ubuntu 12.04 LTS (precise) - medium.
    2014-10-15
    oval:com.ubuntu.trusty:def:20141583000
    V
    CVE-2014-1583 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-10-15
    BACK
    mozilla firefox 32.0
    mozilla firefox 31.1.0
    mozilla firefox 31.0
    mozilla firefox 30.0
    mozilla firefox_esr 31.1.0
    mozilla firefox_esr 31.0
    redhat enterprise_linux 5
    redhat enterprise_linux 6
    redhat enterprise_linux 7