CVE-2015-7184
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
18/10/2015
Last modified:
12/04/2025
Description
The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Impact
Base Score 2.0
6.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* | 41.0.1 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-115.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/77100
- http://www.securitytracker.com/id/1033820
- http://www.ubuntu.com/usn/USN-2768-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
- https://bugzilla.mozilla.org/show_bug.cgi?id=1212669
- http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00021.html
- http://www.mozilla.org/security/announce/2015/mfsa2015-115.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/77100
- http://www.securitytracker.com/id/1033820
- http://www.ubuntu.com/usn/USN-2768-1
- https://bugzilla.mozilla.org/show_bug.cgi?id=1208339
- https://bugzilla.mozilla.org/show_bug.cgi?id=1212669