Mozilla Firefox 30.0 Toolbar customizeToolbar.js access control
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
4.6 | $0-$5k | 0.00 |
A vulnerability was found in Mozilla Firefox 30.0 (Web Browser). It has been classified as critical. This affects some unknown processing of the file customizeToolbar.js of the component Toolbar Handler. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-264. This is going to have an impact on integrity.
The weakness was disclosed 07/22/2014 by David Chan and Gijs Kruitbosch as MFSA2014-60 as confirmed advisory (Website). It is possible to read the advisory at mozilla.org. This vulnerability is uniquely identified as CVE-2014-1561 since 01/16/2014. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
The vulnerability scanner Nessus provides a plugin with the ID 76720 (FreeBSD : mozilla -- multiple vulnerabilities (978b0f76-122d-11e4-afe3-bc5ff4fb5e7b)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 195567 (Ubuntu Security Notification for Firefox Vulnerabilities (USN-2295-1)).
Upgrading to version 31 eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (94773) and Tenable (76720). Further details are available at bugzilla.mozilla.org. The entries 67222, 67223, 67224 and 67225 are pretty similar.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 4.6
VulDB Base Score: 5.3
VulDB Temp Score: 4.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
ATT&CK: T1068
Local: No
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 76720
Nessus Name: FreeBSD : mozilla -- multiple vulnerabilities (978b0f76-122d-11e4-afe3-bc5ff4fb5e7b)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 803463
OpenVAS Name: Mozilla Firefox Multiple Vulnerabilities-01 August14 (Windows)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Firefox 31
Timeline
01/16/2014 🔍07/22/2014 🔍
07/22/2014 🔍
07/22/2014 🔍
07/22/2014 🔍
07/23/2014 🔍
07/23/2014 🔍
07/24/2014 🔍
07/29/2014 🔍
02/09/2022 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: MFSA2014-60
Researcher: David Chan, Gijs Kruitbosch
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-1561 (🔍)
OVAL: 🔍
IAVM: 🔍
X-Force: 94773 - Mozilla Firefox customizeToolbar.js spoofing, Medium Risk
SecurityTracker: 1030619 - Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Deny Service, and Spoof User Interface Elements
Vulnerability Center: 45601 - Mozilla Firefox and Thunderbird Remote Spoofing via Crafted JavaScript - CVE-2014-1561, Medium
SecurityFocus: 68826 - Mozilla Firefox CVE-2014-1561 Event Spoofing Vulnerability
Secunia: 59760 - Waterfox Firefox Multiple Vulnerabilities, Highly Critical
Misc.: 🔍
See also: 🔍
Entry
Created: 07/23/2014 10:37Updated: 02/09/2022 18:39
Changes: 07/23/2014 10:37 (84), 06/03/2017 07:27 (8), 02/09/2022 18:31 (3), 02/09/2022 18:39 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.