Vulnerability CVE-2014-1504

Vulnerability Name:

CVE-2014-1504 (CCN-91864)

Assigned:

2014-03-18

Published:

2014-03-18

Updated:

2020-08-10

Summary:

The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.2 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2014-1504

Source: SUSE
Type: Third Party Advisory
SUSE-SU-2014:0418

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2014:0419

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2014:0448

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2014:0584

Source: CCN
Type: SA57500
Mozilla Firefox / Thunderbird / SeaMonkey Multiple Vulnerabilities

Source: CCN
Type: SA57510
Mozilla Firefox Multiple Vulnerabilities

Source: CCN
Type: MFSA 2014-23
Content Security Policy for data: documents not preserved by session restore

Source: CONFIRM
Type: Vendor Advisory
http://www.mozilla.org/security/announce/2014/mfsa2014-23.html

Source: CONFIRM
Type: Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Source: CCN
Type: BID-66417
Mozilla Firefox and Seamonkey CVE-2014-1504 Security Bypass Vulnerability

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=911547

Source: XF
Type: UNKNOWN
firefox-cve20141504-xss(91864)

Source: GENTOO
Type: Third Party Advisory
GLSA-201504-01

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-1504

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version < 28.0)

Configuration 2:

cpe:/a:mozilla:seamonkey:*:*:*:*:*:*:*:* (Version < 2.25)

Configuration 3:

cpe:/o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

OR cpe:/o:oracle:solaris:11.3:*:*:*:*:*:*:*

OR cpe:/o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*

OR cpe:/o:suse:linux_enterprise_sdk:11:sp3:*:*:*:*:*:*

OR cpe:/o:opensuse:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*

OR cpe:/o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox:27.0:*:*:*:*:*:*:*

OR cpe:/a:mozilla:seamonkey:2.24:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:609	P	Security update for sqlite3 (Moderate) (in QA)	2022-10-04
oval:org.opensuse.security:def:20141504	V	CVE-2014-1504	2022-06-30
oval:org.opensuse.security:def:1301	P	Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Important)	2022-04-14
oval:org.opensuse.security:def:111898	P	MozillaFirefox-50.1.0-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113433	P	seamonkey-2.40-6.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:945	P	Security update for net-snmp (Important)	2022-01-11
oval:org.opensuse.security:def:30166	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:55979	P	Security update for clamav (Moderate)	2021-12-01
oval:org.opensuse.security:def:33047	P	Security update for webkit2gtk3 (Important)	2021-11-23
oval:org.opensuse.security:def:33741	P	Security update for postgresql, postgresql13, postgresql14 (Important)	2021-11-20
oval:org.opensuse.security:def:30147	P	Security update for MozillaFirefox (Important)	2021-11-17
oval:org.opensuse.security:def:33024	P	Security update for util-linux (Moderate)	2021-10-19
oval:org.opensuse.security:def:33729	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:105475	P	MozillaFirefox-50.1.0-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:106834	P	seamonkey-2.40-6.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:29417	P	Security update for libesmtp (Important)	2021-09-02
oval:org.opensuse.security:def:32985	P	Security update for openssl (Important)	2021-08-24
oval:org.opensuse.security:def:47131	P	ppc64-diag-2.7.1-5.6 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47591	P	dbus-1-1.8.22-29.10.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48129	P	libjansson4-2.12-3.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48358	P	zypper-1.13.51-21.26.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47145	P	rpcbind-0.2.3-21.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47683	P	libXrender1-0.9.8-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48191	P	libsmi-0.4.8-18.55 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47266	P	glib2-lang-2.48.2-10.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47831	P	mutt-1.10.1-55.6.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48256	P	pam_krb5-2.4.4-4.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47130	P	powerpc-utils-1.3.2-17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47459	P	pam_krb5-2.4.4-4.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48045	P	ibus-chewing-1.4.14-4.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48287	P	python-pywbem-0.7.0-4.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:29406	P	Security update for cpio (Important)	2021-08-14
oval:org.opensuse.security:def:30108	P	Security update for libsndfile (Critical)	2021-08-05
oval:org.opensuse.security:def:29405	P	Security update for djvulibre (Important)	2021-08-05
oval:org.opensuse.security:def:30210	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:32936	P	Security update for shim (Important)	2021-06-08
oval:org.opensuse.security:def:55898	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:33645	P	Security update for samba (Important)	2021-05-04
oval:org.opensuse.security:def:30059	P	Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP2) (Important)	2021-04-12
oval:org.opensuse.security:def:29489	P	Security update for nghttp2 (Important)	2021-03-24
oval:org.opensuse.security:def:34044	P	Security update for wavpack (Important)	2021-03-24
oval:org.opensuse.security:def:55860	P	Security update for wpa_supplicant (Important)	2021-03-09
oval:org.opensuse.security:def:33091	P	Security update for openldap2 (Important)	2021-03-03
oval:org.opensuse.security:def:55301	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:28942	P	Security update for java-1_8_0-ibm (Important)	2021-02-26
oval:org.opensuse.security:def:32261	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:32262	P	Security update for java-1_8_0-openjdk (Moderate)	2021-02-19
oval:org.opensuse.security:def:33768	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:32273	P	Security update for MozillaFirefox (Important)	2021-01-12
oval:org.opensuse.security:def:30004	P	Security update for flac (Moderate)	2021-01-04
oval:org.opensuse.security:def:55135	P	Security update for cyrus-sasl (Important)	2020-12-28
oval:org.opensuse.security:def:55786	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:62390	P	MozillaFirefox-52.7.3-1.35 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72109	P	MozillaFirefox-52.7.3-1.35 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:26285	P	Security update for the Linux Kernel (Critical)	2020-12-01
oval:org.opensuse.security:def:26569	P	kde4-kgreeter-plugins on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26914	P	gvim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27060	P	xorg-x11-libs-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28251	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27420	P	imlib2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27794	P	Security update for libgcrypt	2020-12-01
oval:org.opensuse.security:def:27949	P	Security update for GraphicsMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:28330	P	Security update for php53 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28687	P	Security update for flash-player (Moderate)	2020-12-01
oval:org.opensuse.security:def:28981	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:28666	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:29765	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:30848	P	Security update for dhcp (Moderate)	2020-12-01
oval:org.opensuse.security:def:54456	P	e2fsprogs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55029	P	vino on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55694	P	Security update for ghostscript (Low)	2020-12-01
oval:org.opensuse.security:def:32485	P	PolicyKit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32879	P	gvim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33509	P	Security update for openswan	2020-12-01
oval:org.opensuse.security:def:33887	P	Security update for kdebase4-runtime	2020-12-01
oval:org.opensuse.security:def:34190	P	Security update for opie	2020-12-01
oval:org.opensuse.security:def:34897	P	Security update for dbus-1	2020-12-01
oval:org.opensuse.security:def:26296	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26626	P	pam_mount on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26963	P	libpng12-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27698	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:27217	P	libsoup-2_4-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27502	P	libwpd-0_8-8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27847	P	Security update for openldap2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27993	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:28461	P	Security update for xorg-x11-libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28839	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:28998	P	Security update for gnutls (Moderate)	2020-12-01
oval:org.opensuse.security:def:29851	P	Security update for Linux Kernel	2020-12-01
oval:org.opensuse.security:def:29716	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:54478	P	glib2-lang on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32579	P	mozilla-xulrunner190 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:33415	P	Security update for zeromq (Important)	2020-12-01
oval:org.opensuse.security:def:34215	P	Security update for php5 (Important)	2020-12-01
oval:org.opensuse.security:def:26284	P	Security update for taglib (Low)	2020-12-01
oval:org.opensuse.security:def:34937	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:26360	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:26710	P	gnome-screensaver on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27002	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49332	P	socat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27228	P	libxcrypt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27559	P	rubygem-i18n-0_6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27896	P	Security update for tidy (Low)	2020-12-01
oval:org.opensuse.security:def:28631	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:28252	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28546	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:28893	P	Security update for fetchmail (Moderate)	2020-12-01
oval:org.opensuse.security:def:29042	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:29621	P	Security update for boost	2020-12-01
oval:org.opensuse.security:def:54618	P	libvdpau1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30885	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:32636	P	apache2-mod_php53 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57255	P	Security update for openssl-certs	2020-12-01
oval:org.opensuse.security:def:33416	P	Security update for ImageMagick	2020-12-01
oval:org.opensuse.security:def:34102	P	Security update for MozillaFirefox, MozillaFirefox-branding-SLED, MozillaFirefox-branding-SLES-for-VMware, mozilla-nss (Moderate)	2020-12-01
oval:org.opensuse.security:def:34259	P	Security update for postgresql94 (Important)	2020-12-01
oval:org.opensuse.security:def:27216	P	libsnmp15-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26488	P	Security update for cacti, cacti-spine (Moderate)	2020-12-01
oval:org.opensuse.security:def:26861	P	ant on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27016	P	postgresql on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49386	P	MozillaFirefox on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27292	P	squid on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27643	P	Security update for libssh2	2020-12-01
oval:org.opensuse.security:def:27935	P	Security update for GraphicsMagick (Important)	2020-12-01
oval:org.opensuse.security:def:27733	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:28263	P	Security update for mercurial (Important)	2020-12-01
oval:org.opensuse.security:def:28603	P	Security update for usbmuxd	2020-12-01
oval:org.opensuse.security:def:29680	P	Security update for ecryptfs-utils	2020-12-01
oval:org.opensuse.security:def:29708	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:54455	P	dracut on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54856	P	libecpg6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55586	P	Security update for openssh (Moderate)	2020-12-01
oval:org.opensuse.security:def:32350	P	Security update for squid (Moderate)	2020-12-01
oval:org.opensuse.security:def:32723	P	libopenssl0_9_8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57329	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:33427	P	Security update for Samba	2020-12-01
oval:org.opensuse.security:def:33798	P	Security update for gd	2020-12-01
oval:org.opensuse.security:def:34151	P	Security update for openssh (Moderate)	2020-12-01
oval:org.mitre.oval:def:24858	P	SUSE-SU-2014:0418-1 -- Security update for MozillaFirefox	2015-03-16
oval:org.mitre.oval:def:23716	V	The session-restore feature in Mozilla Firefox before 28.0 and SeaMonkey before 2.25 does not consider the Content Security Policy of a data: URL, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted document that is accessed after a browser restart.	2014-10-06
oval:org.mitre.oval:def:23735	P	USN-2150-1 -- firefox vulnerabilities	2014-06-30
oval:org.opensuse.security:def:79963	P	Security update for MozillaFirefox	2014-03-20
oval:com.ubuntu.precise:def:20141504000	V	CVE-2014-1504 on Ubuntu 12.04 LTS (precise) - medium.	2014-03-19

BACK