CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
94.9%
Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to cause denial of service, spoof user interface, bypass security restrictions, execute arbitrary code or obtain sensitive information.
Below is a complete list of vulnerabilities
Technical details
Vulnerability (2) caused by sending type 3 messages during authentication exchange. which in its turn caused by workstation field populating with the hostname of system making request for NTLM-based HTTP authentication. This vulnerability mitigated because NTLM v1 disabled by default.
Reader mode disables scripts for rendered pages through a witelist of allowed HTML content. Vulnerability (3) caused by too permissive whitelist.
Vulnerability (4) caused by not restoring addressbar when window is redrawn from fullscreen to normal mode. Vulnerable behavior can be triggered and then exploited by script.
Locally saved HTML file could use file: URIs to trigger the download of additional files or opening of cached profile data without user awareness. (5)
When a panel is created using the add-on SDK, defining panel with script: false is supposed to disable script execution. But it was found that inline script would still execute. This behavior causes vulnerability (6). add-ons served from addons.mozilla.org are not vulnerable for (6) but third party sites served may be.
Vulnerability (7) caused by trailing whitespaces evaluated differently when parsing IP instead of alphanumeric hostnames.
Firefox can be registered to be used by search engine through Android intent. When Firefox is launched, the URL can be executed with Firefoxβs system privileges if the crash reporter is used. This allows reading local log files, potentially leaking private information. This vulnerability (9) affects only Firefox for Android on Android versions 4.4 and earlier. Maximum impact for other android is non-exploitable crash.
Vulnerability (11) triggered by accessibility tools request for index of a table row through the NSAccessibilityIndexAttribute value.
Vulnerability (14) caused by abandoning parsing process when an effected escaped character is encountered followed by a navigation to the previously parsed version of the URL. When site allowing for navigation redirection for escaped characters this could lead to extraction of site-specific tokens.
Vulnerability (15) caused by permission for Java plugin to deallocate JavaScript wrapper. Which leads to a JavaScript garbage collection crash.
Vulnerability (19) caused by errors in octet string parsing. This issue was fixed at NSS versions 3.16.2.1 and 3.19.4 shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.
Vulnerability (20) caused by lack of checks during memory allocation. This issues was fixed in NSPR 4.10.10. NSPR is required component of NSS.
Mozilla foundation security advisories
CVE-2015-7183 critical
CVE-2015-7200 critical
CVE-2015-7199 critical
CVE-2015-7198 critical
CVE-2015-7197 warning
CVE-2015-7196 high
CVE-2015-7195 warning
CVE-2015-7194 critical
CVE-2015-7193 critical
CVE-2015-7192 critical
CVE-2015-7191 warning
CVE-2015-7190 warning
CVE-2015-7189 high
CVE-2015-7188 critical
CVE-2015-7187 warning
CVE-2015-7186 warning
CVE-2015-7185 warning
CVE-2015-7182 critical
CVE-2015-7181 critical
CVE-2015-4518 warning
CVE-2015-4515 warning
CVE-2015-4514 critical
CVE-2015-4513 critical
Update to the latest versionGet Firefox
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
Cross site scripting. Exploitation of vulnerabilities with this impact can lead to partial interception of information transmitted between user and site.
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.
Loss of integrity. Exploitation of vulnerabilities with this impact can lead to partial system fault or system components connection disruption.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
94.9%