10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
8.7 High
AI Score
Confidence
High
0.057 Low
EPSS
Percentile
93.4%
Multiple serious vulnerabilities have been found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to spoof user interface, cause denial of service, bypass security restrictions, gain privileges, execute arbitrary code or obtain sensitive information.
Below is a complete list of vulnerabilities
Technical details
Vulnerability (2) related to implementation error with unboxed objects and property storing. This vulnerability can be triggered during some Javascript variables assignment.
Vulnerability (3) can be triggered if perfomance.getEntries() is used with iframe to host a page. This vulnerability could lead to cross-origin URLs following (Navigating back through script , content is pulled from browser cache for the redirected location instead original)
Vulnerability (4) caused by storing ASCII code 11 for vertical tab at cookie in violation of RFC6265. This vulnerability can lead to incorrect server-side cookie handling which in its turn can lead to ability of setting and reading cookie data.
Vulnerability (5) related to timing issues that causes WebRTC to trust that datachannel is open after another WebRTC function closed it.
Vulnerability (6) emerges when allocating textures of extremely large sizes at mozilla::layers::BufferTextureClient::AllocateForSurface.
Vulnerability (7) leaks information through error events in web workers. This information could be used to gain authentication tokens and other data.
Vulnerability (8) caused by improper β#β symbol handling at data: URI which can lead to spoof URI.
Vulnerability (9) can be triggered via malformed HTTP2 header frame with only a single byte or HTTP2 PushPromise frame with miscalculation of decompressed buffer size.
Vulnerability (10) caused by using systemβs gdk-pixbuf library to render thumbnails for file choose dialog. Some of image decoders (Jasper and TGA) supported in this library unmantained and vulnerable. This vulnerability affects only Linux systems with Gnome.
Vulnerability (11) related to OOM in DirectWriteFontInfo::LoadFontFamilyData, XDRBuffer::grow and nsDeque::GrowCapacity.
Vulnerability (12) related to RTPReceiverVideo::ParseRtpPacket.
Vulnerability (13) related to MPEG4Extractor::readMetaData.
Vulnerability (14) related to libstagefright and can be triggered while parsing MP4 cover metadata in Metadata::setData.
Vulnerability (16) can be triggered via data: and view-source: URIs and can lead to read cross-site URLs and local files.
Mozilla Foundation Security Advisories
CVE-2015-7223 warning
CVE-2015-7201 critical
CVE-2015-7202 critical
CVE-2015-7203 critical
CVE-2015-7204 high
CVE-2015-7205 critical
CVE-2015-7207 critical
CVE-2015-7208 critical
CVE-2015-7210 critical
CVE-2015-7211 critical
CVE-2015-7212 critical
CVE-2015-7213 high
CVE-2015-7214 critical
CVE-2015-7215 critical
CVE-2015-7216 high
CVE-2015-7217 warning
CVE-2015-7218 critical
CVE-2015-7219 critical
CVE-2015-7220 critical
CVE-2015-7221 critical
CVE-2015-7222 high
Update to the latest versionGet Firefox
Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.
Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.
Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.
Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.
Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.
Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.