CVE-2015-4518

medium

Description

The Reader View implementation in Mozilla Firefox before 42.0 has an improper whitelist, which makes it easier for remote attackers to bypass the Content Security Policy (CSP) protection mechanism and conduct cross-site scripting (XSS) attacks via vectors involving SVG animations and the about:reader URL.

References

https://security.gentoo.org/glsa/201512-10

https://bugzilla.mozilla.org/show_bug.cgi?id=1182778

https://bugzilla.mozilla.org/show_bug.cgi?id=1136692

http://www.ubuntu.com/usn/USN-2785-1

http://www.securitytracker.com/id/1034069

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.mozilla.org/security/announce/2015/mfsa2015-118.html

http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html

Details

Source: Mitre, NVD

Published: 2015-11-05

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium