CVE-2014-1480
First published: Thu Feb 06 2014(Updated: )
The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| openSUSE | =11.4 | |
| openSUSE | =12.3 | |
| openSUSE | =13.1 | |
| SUSE Linux Enterprise Desktop with Beagle | =11-sp3 | |
| SUSE Linux Enterprise Server | =11-sp3 | |
| suse linux enterprise server vmware | =11-sp3 | |
| SUSE Linux Enterprise Software Development Kit | =11-sp3 | |
| Oracle Solaris SPARC | =11.3 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 | |
| Ubuntu Linux | =13.10 | |
| Mozilla Firefox | <27.0 | |
| Mozilla SeaMonkey | <2.24 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html
- http://osvdb.org/102867
- http://secunia.com/advisories/56888
- http://www.mozilla.org/security/announce/2014/mfsa2014-03.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/65331
- http://www.securitytracker.com/id/1029717
- http://www.securitytracker.com/id/1029720
- http://www.ubuntu.com/usn/USN-2102-1
- http://www.ubuntu.com/usn/USN-2102-2
- https://bugzilla.mozilla.org/show_bug.cgi?id=916726
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90897
- https://security.gentoo.org/glsa/201504-01
Frequently Asked Questions
What is the severity of CVE-2014-1480?
CVE-2014-1480 has a medium severity rating as it allows for clickjacking attacks that can lead to unauthorized file downloads.
How do I fix CVE-2014-1480?
To fix CVE-2014-1480, update Mozilla Firefox to version 27.0 or later, or update SeaMonkey to version 2.24 or later.
Which versions of Firefox are affected by CVE-2014-1480?
CVE-2014-1480 affects all versions of Mozilla Firefox prior to 27.0.
Which versions of SeaMonkey are impacted by CVE-2014-1480?
CVE-2014-1480 impacts all versions of SeaMonkey before version 2.24.
What type of attack can CVE-2014-1480 facilitate?
CVE-2014-1480 can facilitate clickjacking attacks, allowing attackers to trigger unintended downloads.
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- vendor/opensuse
- canonical/opensuse
- version/opensuse/11.4
- version/opensuse/12.3
- version/opensuse/13.1
- vendor/suse
- canonical/suse linux enterprise desktop with beagle
- version/suse linux enterprise desktop with beagle/11-sp3
- canonical/suse linux enterprise server
- version/suse linux enterprise server/11-sp3
- canonical/suse linux enterprise server vmware
- version/suse linux enterprise server vmware/11-sp3
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/11-sp3
- vendor/oracle
- canonical/oracle solaris sparc
- version/oracle solaris sparc/11.3
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10
- version/ubuntu linux/13.10
- vendor/mozilla
- canonical/mozilla firefox
- canonical/mozilla seamonkey