CVE-2014-8636

EXPLOITED

Firefox < 34.0.5 and SeaMonkey < 2.31 - Remote Code Execution via XrayWrapper DOM Interaction

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2014-8636 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Metasploit.

AI-analyzed exploit summary This Metasploit module exploits a privilege escalation vulnerability in Firefox 31-34 by abusing a bug in the XPConnect component to gain a reference to the privileged chrome:// window, leading to remote code execution. The exploit requires user interaction (clicking on the page) to trigger the vulnerability.

Description

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/36480

This Metasploit module exploits a privilege escalation vulnerability in Firefox 31-34 by abusing a bug in the XPConnect component to gain a reference to the privileged chrome:// window, leading to remote code execution. The exploit requires user interaction (clicking on the page) to trigger the vulnerability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mozilla Firefox 31-34
No auth needed
Prerequisites: User interaction (click on the page) · Target using Firefox 31-34
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (19)

Core 19
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62242
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72041
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1031533
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/99964
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62250
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62418
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201504-01
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62790
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62446
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=987794

Scores

EPSS 0.8361
EPSS Percentile 99.3%

Details

VulnCheck KEV 2017-01-09
CWE
CWE-94
Status published
Products (2)
mozilla/firefox < 34.0.5
mozilla/seamonkey < 2.31
Published Jan 14, 2015
Tracked Since Feb 18, 2026