Vulnerabilities > CVE-2015-4498 - 7PK - Security Features vulnerability in Mozilla Firefox
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early point in the installation process.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-565.NASL description MozillaFirefox was updated to version 40.0.3 to fix two security issues and several bugs. Changes in MozillaFirefox : - update to Firefox 40.0.3 (bnc#943550) - Disable the asynchronous plugin initialization (bmo#1198590) - Fix a segmentation fault in the GStreamer support (bmo#1145230) - Fix a regression with some Japanese fonts used in the <input> field (bmo#1194055) - On some sites, the selection in a select combox box using the mouse could be broken (bmo#1194733) security fixes - MFSA 2015-94/CVE-2015-4497 (bmo#1164766, bmo#1175278, bsc#943557) Use-after-free when resizing canvas element during restyling - MFSA 2015-95/CVE-2015-4498 (bmo#1042699, bsc#943558) Add-on notification bypass through data URLs last seen 2020-06-05 modified 2015-09-08 plugin id 85834 published 2015-09-08 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85834 title openSUSE Security Update : MozillaFirefox (openSUSE-2015-565) NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_40_0_3.NASL description The version of Mozilla Firefox installed on the remote Mac OS X host is prior to 40.0.3. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the last seen 2020-06-01 modified 2020-06-02 plugin id 85687 published 2015-08-28 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85687 title Firefox < 40.0.3 Multiple Vulnerabilities (Mac OS X) NASL family Windows NASL id MOZILLA_FIREFOX_40_0_3.NASL description The version of Mozilla Firefox installed on the remote Windows host is prior to 40.0.3. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the last seen 2020-06-01 modified 2020-06-02 plugin id 85689 published 2015-08-28 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85689 title Firefox < 40.0.3 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3345.NASL description Multiple security issues have been found in Iceweasel, Debian last seen 2020-06-01 modified 2020-06-02 plugin id 85696 published 2015-08-31 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85696 title Debian DSA-3345-1 : iceweasel - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1693.NASL description Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. last seen 2020-05-31 modified 2015-08-28 plugin id 85680 published 2015-08-28 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85680 title RHEL 5 / 6 / 7 : firefox (RHSA-2015:1693) NASL family Scientific Linux Local Security Checks NASL id SL_20150827_FIREFOX_ON_SL5_X.NASL description A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) After installing the update, Firefox must be restarted for the changes to take effect. last seen 2020-03-18 modified 2015-08-31 plugin id 85706 published 2015-08-31 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85706 title Scientific Linux Security Update : firefox on SL5.x, SL6.x, SL7.x i386/x86_64 (20150827) NASL family Windows NASL id MOZILLA_FIREFOX_38_2_1_ESR.NASL description The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 38.2.1. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the last seen 2020-06-01 modified 2020-06-02 plugin id 85688 published 2015-08-28 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85688 title Firefox ESR < 38.2.1 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1476-1.NASL description Mozilla Firefox was updated to version 38.2.1 ESR to fix several critical and non critical security vulnerabilities. - Firefox was updated to 38.2.1 ESR (bsc#943608) - MFSA 2015-94/CVE-2015-4497 (bsc#943557) Use-after-free when resizing canvas element during restyling - MFSA 2015-95/CVE-2015-4498 (bsc#943558) Add-on notification bypass through data URLs - Firefox was updated to 38.2.0 ESR (bsc#940806) - MFSA 2015-78/CVE-2015-4495 (bmo#1178058, bmo#1179262) Same origin violation and local file stealing via PDF reader - MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 (bmo#1143130, bmo#1161719, bmo#1177501, bmo#1181204, bmo#1184068, bmo#1188590, bmo#1146213, bmo#1178890, bmo#1182711) Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) - MFSA 2015-80/CVE-2015-4475 (bmo#1175396) Out-of-bounds read with malformed MP3 file - MFSA 2015-82/CVE-2015-4478 (bmo#1105914) Redefinition of non-configurable JavaScript object properties - MFSA 2015-83/CVE-2015-4479 (bmo#1185115, bmo#1144107, bmo#1170344, bmo#1186718) Overflow issues in libstagefright - MFSA 2015-87/CVE-2015-4484 (bmo#1171540) Crash when using shared memory in JavaScript - MFSA 2015-88/CVE-2015-4491 (bmo#1184009) Heap overflow in gdk-pixbuf when scaling bitmap images - MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 (bmo#1177948, bmo#1178148) Buffer overflows on Libvpx when decoding WebM video - MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 (bmo#1176270, bmo#1182723, bmo#1171603) Vulnerabilities found through code inspection - MFSA 2015-92/CVE-2015-4492 (bmo#1185820) Use-after-free in XMLHttpRequest with shared workers Mozilla NSS switched the CKBI ABI from 1.98 to 2.4, which is what Firefox 38ESR uses. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 85763 published 2015-09-03 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85763 title SUSE SLED12 / SLES12 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2015:1476-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1693.NASL description Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 86498 published 2015-10-22 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86498 title CentOS 5 / 6 / 7 : firefox (CESA-2015:1693) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2723-1.NASL description A use-after-free was discovered when resizing a canvas element during restyling in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. (CVE-2015-4497) Bas Venis discovered that the addon install permission prompt could be bypassed using data: URLs in some circumstances. It was also discovered that the installation notification could be made to appear over another site. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to install a malicious addon. (CVE-2015-4498). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 85682 published 2015-08-28 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85682 title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : firefox vulnerabilities (USN-2723-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1693.NASL description From Red Hat Security Advisory 2015:1693 : Updated firefox packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A flaw was found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. (CVE-2015-4497) A flaw was found in the way Firefox handled installation of add-ons. An attacker could use this flaw to bypass the add-on installation prompt, and trick the user inso installing an add-on from a malicious source. (CVE-2015-4498) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Jean-Max Reymond, Ucha Gobejishvili, and Bas Venis as the original reporters of these issues. All Firefox users should upgrade to these updated packages, which contain Firefox version 38.2.1 ESR, which corrects these issues. After installing the update, Firefox must be restarted for the changes to take effect. last seen 2020-05-31 modified 2015-08-28 plugin id 85679 published 2015-08-28 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85679 title Oracle Linux 5 / 6 / 7 : firefox (ELSA-2015-1693) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1504-1.NASL description Mozilla Firefox was updated to 38.2.1 ESR, fixing two severe security bugs. (bsc#943608) - MFSA 2015-94/CVE-2015-4497 (bsc#943557): Use-after-free when resizing canvas element during restyling - MFSA 2015-95/CVE-2015-4498 (bsc#943558): Add-on notification bypass through data URLs Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 85868 published 2015-09-09 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85868 title SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2015:1504-1) NASL family MacOS X Local Security Checks NASL id MACOSX_FIREFOX_38_2_1_ESR.NASL description The version of Mozilla Firefox ESR installed on the remote Mac OS X host is prior to 38.2.1. It is, therefore, affected by the following vulnerabilities : - A use-after-free error exists when handling restyling operations during the resizing of canvas elements due to the canvas references being recreated, thus destroying the original references. A remote, unauthenticated attacker can exploit this to deference already freed memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-4497) - A security feature bypass vulnerability exists due to a flaw that allows the manipulation of the last seen 2020-06-01 modified 2020-06-02 plugin id 85686 published 2015-08-28 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85686 title Firefox ESR < 38.2.1 Multiple Vulnerabilities (Mac OS X) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-2081-1.NASL description MozillaFirefox ESR was updated to version 38.4.0ESR to fix multiple security issues. MFSA 2015-116/CVE-2015-4513 Miscellaneous memory safety hazards (rv:42.0 / rv:38.4) MFSA 2015-122/CVE-2015-7188 Trailing whitespace in IP address hostnames can bypass same-origin policy MFSA 2015-123/CVE-2015-7189 Buffer overflow during image interactions in canvas MFSA 2015-127/CVE-2015-7193 CORS preflight is bypassed when non-standard Content-Type headers are received MFSA 2015-128/CVE-2015-7194 Memory corruption in libjar through zip files MFSA 2015-130/CVE-2015-7196 JavaScript garbage collection crash with Java applet MFSA 2015-131/CVE-2015-7198/CVE-2015-7199/CVE-2015-7200 Vulnerabilities found through code inspection MFSA 2015-132/CVE-2015-7197 Mixed content WebSocket policy bypass through workers MFSA 2015-133/CVE-2015-7181/CVE-2015-7182/CVE-2015-7183 NSS and NSPR memory corruption issues It also includes fixes from 38.3.0ESR : MFSA 2015-96/CVE-2015-4500/CVE-2015-4501 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) MFSA 2015-101/CVE-2015-4506 Buffer overflow in libvpx while parsing vp9 format video MFSA 2015-105/CVE-2015-4511 Buffer overflow while decoding WebM video MFSA 2015-106/CVE-2015-4509 Use-after-free while manipulating HTML media content MFSA 2015-110/CVE-2015-4519 Dragging and dropping images exposes final URL after redirects MFSA 2015-111/CVE-2015-4520 Errors in the handling of CORS preflight request headers MFSA 2015-112/CVE-2015-4517/CVE-2015-4521/CVE-2015-4522 CVE-2015-7174/CVE-2015-7175/CVE-2015-7176/CVE-2015-7177 CVE-2015-7180 Vulnerabilities found through code inspection It also includes fixes from the Firefox 38.2.1ESR release : MFSA 2015-94/CVE-2015-4497 (bsc#943557) Use-after-free when resizing canvas element during restyling MFSA 2015-95/CVE-2015-4498 (bsc#943558) Add-on notification bypass through data URLs It also includes fixes from the Firefox 38.2.0ESR release : MFSA 2015-79/CVE-2015-4473/CVE-2015-4474 Miscellaneous memory safety hazards (rv:40.0 / rv:38.2) MFSA 2015-80/CVE-2015-4475 Out-of-bounds read with malformed MP3 file MFSA 2015-82/CVE-2015-4478 Redefinition of non-configurable JavaScript object properties MFSA 2015-83/CVE-2015-4479 Overflow issues in libstagefright MFSA 2015-87/CVE-2015-4484 Crash when using shared memory in JavaScript MFSA 2015-88/CVE-2015-4491 Heap overflow in gdk-pixbuf when scaling bitmap images MFSA 2015-89/CVE-2015-4485/CVE-2015-4486 Buffer overflows on Libvpx when decoding WebM video MFSA 2015-90/CVE-2015-4487/CVE-2015-4488/CVE-2015-4489 Vulnerabilities found through code inspection MFSA 2015-92/CVE-2015-4492 Use-after-free in XMLHttpRequest with shared workers Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 87063 published 2015-11-25 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87063 title SUSE SLES10 Security Update : Mozilla Firefox (SUSE-SU-2015:2081-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_237A201C888B487F84D37D92266381D6.NASL description The Mozilla Project reports : MFSA 2015-95 Add-on notification bypass through data URLs MFSA 2015-94 Use-after-free when resizing canvas element during restyling last seen 2020-06-01 modified 2020-06-02 plugin id 85699 published 2015-08-31 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85699 title FreeBSD : mozilla -- multiple vulnerabilities (237a201c-888b-487f-84d3-7d92266381d6)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00000.html
- http://rhn.redhat.com/errata/RHSA-2015-1693.html
- http://rhn.redhat.com/errata/RHSA-2015-1693.html
- http://www.debian.org/security/2015/dsa-3345
- http://www.debian.org/security/2015/dsa-3345
- http://www.mozilla.org/security/announce/2015/mfsa2015-95.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-95.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/76505
- http://www.securityfocus.com/bid/76505
- http://www.securitytracker.com/id/1033396
- http://www.securitytracker.com/id/1033396
- http://www.ubuntu.com/usn/USN-2723-1
- http://www.ubuntu.com/usn/USN-2723-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1042699
- https://bugzilla.mozilla.org/show_bug.cgi?id=1042699