CVE-2014-1510

CRITICAL EXPLOITED

Mozilla Firefox < 28.0 - Improper Privilege Management

Title source: rule

Description

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allows remote attackers to execute arbitrary JavaScript code with chrome privileges by using an IDL fragment to trigger a window.open call.

Exploits (2)

exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/34448
metasploit WORKING POC EXCELLENT
by Marius Mlynski, joev · rubypocfirefox
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/firefox_webidl_injection.rb

References (14)

Scores

CVSS v3 9.8
EPSS 0.7109
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2016-08-04
CWE
CWE-269
Status published
Products (24)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 12.10
canonical/ubuntu_linux 13.10
debian/debian_linux 7.0
debian/debian_linux 8.0
mozilla/firefox < 28.0
mozilla/seamonkey < 2.25
mozilla/thunderbird < 24.4
opensuse/opensuse 11.4
opensuse/opensuse 12.3
... and 14 more
Published Mar 19, 2014
Tracked Since Feb 18, 2026