| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.5 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic has been found in Mozilla Firefox 35. This vulnerability affects unknown code of the component Hyperlink Handler. The manipulation leads to access control. This vulnerability is referenced as CVE-2015-0821. No exploit is available. It is recommended to upgrade the affected component.
Details
A vulnerability was found in Mozilla Firefox 35 (Web Browser) and classified as problematic. This issue affects some unknown processing of the component Hyperlink Handler. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is integrity. The summary by CVE is:
Mozilla Firefox before 36.0 allows user-assisted remote attackers to read arbitrary files or execute arbitrary JavaScript code with chrome privileges via a crafted web site that is accessed with unspecified mouse and keyboard actions.
The weakness was published 02/24/2015 by Armin Razmdjou as MFSA 2015-25 as confirmed security advisory (Website). It is possible to read the advisory at mozilla.org. The identification of this vulnerability is CVE-2015-0821 since 01/07/2015. The exploitation is known to be easy. Attacking locally is a requirement. No form of authentication is needed for a successful exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK.
The vulnerability scanner Nessus provides a plugin with the ID 81588 (FreeBSD : mozilla -- multiple vulnerabilities (99029172-8253-407d-9d8b-2cfeab9abf81)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family FreeBSD Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 167676 (OpenSuSE Security Update for seamonkey (openSUSE-SU-2015:0570-1)).
Upgrading to version 36 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (101079), Tenable (81588), SecurityFocus (BID 72758†), SecurityTracker (ID 1031791†) and Vulnerability Center (SBV-48781†). Similar entries are available at VDB-69212, VDB-69213, VDB-69214 and VDB-69216. Be aware that VulDB is the high quality source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.mozilla.org/
- Product: https://www.mozilla.org/en-US/firefox/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.0VulDB Meta Temp Score: 3.5
VulDB Base Score: 4.0
VulDB Temp Score: 3.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Unproven
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 81588
Nessus Name: FreeBSD : mozilla -- multiple vulnerabilities (99029172-8253-407d-9d8b-2cfeab9abf81)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 803420
OpenVAS Name: Mozilla Firefox Multiple Vulnerabilities-01 Mar15 (Windows)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Firefox 36
Timeline
01/07/2015 🔍02/24/2015 🔍
02/24/2015 🔍
02/24/2015 🔍
02/24/2015 🔍
02/24/2015 🔍
02/25/2015 🔍
02/25/2015 🔍
02/25/2015 🔍
03/10/2022 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: MFSA 2015-25
Researcher: Armin Razmdjou
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2015-0821 (🔍)
GCVE (CVE): GCVE-0-2015-0821
GCVE (VulDB): GCVE-100-69215
X-Force: 101079 - Mozilla Firefox hyperlinks security bypass
SecurityFocus: 72758 - Mozilla Firefox CVE-2015-0821 Local Security Bypass Vulnerability
SecurityTracker: 1031791 - Mozilla Firefox Multiple Flaws Let Remote Users Deny Service, Execute Arbitrary Code, Bypass Security Restrictions, and Obtain Potentially Sensitive Information and Let Local Users Gain Elevated Privileges
Vulnerability Center: 48781 - Mozilla Firefox <36.0 and SeaMonkey <2.33 Remote Security Bypass via Privileged URL, Medium
See also: 🔍
Entry
Created: 02/25/2015 12:04Updated: 03/10/2022 17:36
Changes: 02/25/2015 12:04 (77), 06/21/2017 10:48 (6), 03/10/2022 17:36 (3)
Complete: 🔍
Cache ID: 216:F62:103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.