CVE-2014-8638: CSRF
First published: Wed Jan 14 2015(Updated: )
The navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox ESR | =31.0 | |
| Mozilla Firefox ESR | =31.1.0 | |
| Mozilla Firefox ESR | =31.1.1 | |
| Mozilla Firefox ESR | =31.2 | |
| Mozilla Firefox ESR | =31.3.0 | |
| Mozilla Thunderbird | <=31.3.0 | |
| Mozilla Firefox | <=34.0.5 | |
| Mozilla SeaMonkey | <=2.31 | |
| Mozilla Firefox | =31.0 | |
| Mozilla Firefox | =31.1.0 | |
| Mozilla Firefox | =31.1.1 | |
| Mozilla Firefox | =31.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://linux.oracle.com/errata/ELSA-2015-0046.html
- http://linux.oracle.com/errata/ELSA-2015-0047.html
- http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.html
- http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00031.html
- http://lists.opensuse.org/opensuse-updates/2015-01/msg00071.html
- http://rhn.redhat.com/errata/RHSA-2015-0046.html
- http://rhn.redhat.com/errata/RHSA-2015-0047.html
- http://secunia.com/advisories/62237
- http://secunia.com/advisories/62242
- http://secunia.com/advisories/62250
- http://secunia.com/advisories/62253
- http://secunia.com/advisories/62259
- http://secunia.com/advisories/62273
- http://secunia.com/advisories/62274
- http://secunia.com/advisories/62283
- http://secunia.com/advisories/62293
- http://secunia.com/advisories/62304
- http://secunia.com/advisories/62313
- http://secunia.com/advisories/62315
- http://secunia.com/advisories/62316
- http://secunia.com/advisories/62418
- http://secunia.com/advisories/62446
- http://secunia.com/advisories/62657
- http://secunia.com/advisories/62790
- http://www.debian.org/security/2015/dsa-3127
- http://www.debian.org/security/2015/dsa-3132
- http://www.mozilla.org/security/announce/2014/mfsa2015-03.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.securityfocus.com/bid/72047
- http://www.securitytracker.com/id/1031533
- http://www.securitytracker.com/id/1031534
- http://www.ubuntu.com/usn/USN-2460-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1080987
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99958
- https://security.gentoo.org/glsa/201504-01
Frequently Asked Questions
What is the severity of CVE-2014-8638?
The severity of CVE-2014-8638 is classified as high due to the potential for cross-site request forgery attacks.
How do I fix CVE-2014-8638?
To fix CVE-2014-8638, update your Mozilla Firefox, Firefox ESR, Thunderbird, or SeaMonkey to the latest versions that are no longer vulnerable.
What versions are affected by CVE-2014-8638?
CVE-2014-8638 affects Mozilla Firefox before version 35.0, Firefox ESR before version 31.4, Thunderbird before version 31.4, and SeaMonkey before version 2.32.
What type of vulnerability is CVE-2014-8638?
CVE-2014-8638 is a cross-origin resource sharing (CORS) vulnerability that can lead to cross-site request forgery.
Can I still use affected software while waiting for a fix for CVE-2014-8638?
It is not recommended to use affected software without applying the necessary updates due to the potential security risks associated with CVE-2014-8638.
- agent/type
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/references
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/author
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/source
- vendor/mozilla
- canonical/mozilla firefox esr
- version/mozilla firefox esr/31.0
- version/mozilla firefox esr/31.1.0
- version/mozilla firefox esr/31.1.1
- version/mozilla firefox esr/31.2
- version/mozilla firefox esr/31.3.0
- canonical/mozilla thunderbird
- version/mozilla thunderbird/31.3.0
- canonical/mozilla firefox
- version/mozilla firefox/34.0.5
- canonical/mozilla seamonkey
- version/mozilla seamonkey/2.31
- version/mozilla firefox/31.0
- version/mozilla firefox/31.1.0
- version/mozilla firefox/31.1.1
- version/mozilla firefox/31.3.0