Description
The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
References (8)
Core 8
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2768-1
Vendor Advisory x_refsource_confirm
http://www.mozilla.org/security/announce/2015/mfsa2015-115.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1212669
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1033820
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/77100
Scores
EPSS
0.0024
EPSS Percentile
47.6%
Details
CWE
CWE-284
Status
published
Products (1)
mozilla/firefox
< 41.0.1
Published
Oct 18, 2015
Tracked Since
Feb 18, 2026