CVE-2014-1583
First published: Wed Oct 15 2014(Updated: )
The Alarm API in Mozilla Firefox before 33.0 and Firefox ESR 31.x before 31.2 does not properly restrict toJSON calls, which allows remote attackers to bypass the Same Origin Policy via crafted API calls that access sensitive information within the JSON data of an alarm.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <=32.0 | |
| Firefox | =30.0 | |
| Firefox | =31.0 | |
| Firefox | =31.1.0 | |
| Firefox ESR | =31.0 | |
| Firefox ESR | =31.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2014-November/141796.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/141085.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00002.html
- http://rhn.redhat.com/errata/RHSA-2014-1635.html
- http://secunia.com/advisories/61854
- http://secunia.com/advisories/62022
- http://secunia.com/advisories/62023
- http://www.debian.org/security/2014/dsa-3050
- http://www.mozilla.org/security/announce/2014/mfsa2014-82.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.securityfocus.com/bid/70424
- http://www.securitytracker.com/id/1031028
- http://www.securitytracker.com/id/1031030
- http://www.ubuntu.com/usn/USN-2372-1
- https://advisories.mageia.org/MGASA-2014-0421.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1015540
- https://security.gentoo.org/glsa/201504-01
Frequently Asked Questions
What is the severity of CVE-2014-1583?
CVE-2014-1583 has been classified as a moderate severity vulnerability.
How do I fix CVE-2014-1583?
To fix CVE-2014-1583, update Mozilla Firefox to version 33.0 or later, or Firefox ESR to version 31.2 or later.
Which versions of Mozilla Firefox are affected by CVE-2014-1583?
CVE-2014-1583 affects Mozilla Firefox versions prior to 33.0 and Firefox ESR versions prior to 31.2.
Can CVE-2014-1583 allow data leakage?
Yes, CVE-2014-1583 can allow remote attackers to bypass the Same Origin Policy and access sensitive information.
What is the nature of the vulnerability in CVE-2014-1583?
The vulnerability in CVE-2014-1583 is due to improper restriction of toJSON calls in the Alarm API.
- agent/type
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/last-modified-date
- agent/author
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/mozilla
- canonical/firefox
- version/firefox/32.0
- version/firefox/30.0
- version/firefox/31.0
- version/firefox/31.1.0
- canonical/firefox esr
- version/firefox esr/31.0
- version/firefox esr/31.1.0