[arch-security] [ASA-201510-10] firefox: cross-origin restriction bypass
Remi Gacogne
rgacogne at archlinux.org
Fri Oct 16 09:58:35 UTC 2015
Arch Linux Security Advisory ASA-201510-10
==========================================
Severity: High
Date : 2015-10-16
CVE-ID : CVE-2015-7184
Package : firefox
Type : cross-origin restriction bypass
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package firefox before version 41.0.2-1 is vulnerable to
cross-origin restriction bypass.
Resolution
==========
Upgrade to 41.0.2-1.
# pacman -Syu "firefox>=41.0.2-1"
The problem has been fixed upstream in version 41.0.2.
Workaround
==========
None.
Description
===========
Security researcher Abdulrahman Alqabandi reported that the fetch() API
did not correctly implement the Cross-Origin Resource Sharing (CORS)
specification, allowing a malicious page to access private data from
other origins. Mozilla developer Ben Kelly independently reported the
same issue.
Impact
======
A remote attacker can bypass the cross-origin resource sharing policy to
access sensitive information.
References
==========
https://www.mozilla.org/en-US/security/advisories/mfsa2015-115/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7184
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151016/eafd75c1/attachment.asc>
More information about the arch-security
mailing list