{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-20T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-20T16:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "openSUSE-SU-2015:0636", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00096.html"}, {"name": "openSUSE-SU-2015:0567", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00026.html"}, {"name": "GLSA-201504-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201504-01"}, {"name": "73265", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/73265"}, {"name": "RHSA-2015:0718", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0718.html"}, {"name": "DSA-3201", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3201"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-28.html"}, {"name": "SUSE-SU-2015:0630", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00035.html"}, {"name": "1031959", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1031959"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1144988"}, {"name": "SUSE-SU-2015:0593", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00029.html"}, {"name": "USN-2538-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2538-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2015-0818", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2015:0636", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00096.html"}, {"name": "openSUSE-SU-2015:0567", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00026.html"}, {"name": "GLSA-201504-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201504-01"}, {"name": "73265", "refsource": "BID", "url": "http://www.securityfocus.com/bid/73265"}, {"name": "RHSA-2015:0718", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0718.html"}, {"name": "DSA-3201", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3201"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"}, {"name": "http://www.mozilla.org/security/announce/2015/mfsa2015-28.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-28.html"}, {"name": "SUSE-SU-2015:0630", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00035.html"}, {"name": "1031959", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1031959"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1144988", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1144988"}, {"name": "SUSE-SU-2015:0593", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00029.html"}, {"name": "USN-2538-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2538-1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:26:11.047Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2015:0636", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00096.html"}, {"name": "openSUSE-SU-2015:0567", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00026.html"}, {"name": "GLSA-201504-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201504-01"}, {"name": "73265", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/73265"}, {"name": "RHSA-2015:0718", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0718.html"}, {"name": "DSA-3201", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3201"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-28.html"}, {"name": "SUSE-SU-2015:0630", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00035.html"}, {"name": "1031959", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1031959"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1144988"}, {"name": "SUSE-SU-2015:0593", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00029.html"}, {"name": "USN-2538-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2538-1"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2015-0818", "datePublished": "2015-03-24T00:00:00", "dateReserved": "2015-01-07T00:00:00", "dateUpdated": "2024-08-06T04:26:11.047Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "B58A4E42-C8EB-46D0-BCF0-B39798FFE031", "versionEndIncluding": "36.0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.0:*:*:*:*:*:*:*", "matchCriteriaId": "992DDB6B-F32C-4E80-B386-EB1643D079E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.1:*:*:*:*:*:*:*", "matchCriteriaId": "6D7AAC77-57A3-4747-B760-0EE3CD53E4DE", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "19837144-FBCC-4B36-BAF4-FCD9F9C2AAE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "D0DB1BAA-3729-48BD-A8D0-5BBF3D4ABDE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.2:*:*:*:*:*:*:*", "matchCriteriaId": "7DCA6959-24B7-4F86-BE25-0A8A7C1A3D13", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.3:*:*:*:*:*:*:*", "matchCriteriaId": "697EA344-F982-4E9F-9EC8-CCCB5829582B", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "5C699284-7876-4C8D-B259-B97C60C9A349", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.4:*:*:*:*:*:*:*", "matchCriteriaId": "61304847-1DC8-442C-8194-28E52B3C1293", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.5:*:*:*:*:*:*:*", "matchCriteriaId": "8DF9724E-93B2-4BC7-8181-6D9521A6CC37", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "4C9244A7-665A-48DE-89C9-C76E7A4556F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:31.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "2E6787E1-0523-49B7-B9B3-74F2D43DB714", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E3C8442-7700-43CD-8BC7-6DAE10A77139", "versionEndIncluding": "2.33.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation."}, {"lang": "es", "value": "Mozilla Firefox anterior a 36.0.4, Firefox ESR 31.x anterior a 31.5.3, y SeaMonkey anterior a 2.33.1 permiten a atacantes remotos evadir Same Origin Policy y ejecutar c\u00f3digo JavaScript arbitrario con privilegios chrome a trav\u00e9s de vectores que involucran la navegaci\u00f3n por hashes de SVG."}], "id": "CVE-2015-0818", "lastModified": "2016-12-22T02:59:27.597", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-03-24T00:59:07.250", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00026.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00029.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00035.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-updates/2015-03/msg00096.html"}, {"source": "security@mozilla.org", "url": "http://rhn.redhat.com/errata/RHSA-2015-0718.html"}, {"source": "security@mozilla.org", "url": "http://www.debian.org/security/2015/dsa-3201"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2015/mfsa2015-28.html"}, {"source": "security@mozilla.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html"}, {"source": "security@mozilla.org", "url": "http://www.securityfocus.com/bid/73265"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1031959"}, {"source": "security@mozilla.org", "url": "http://www.ubuntu.com/usn/USN-2538-1"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1144988"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/201504-01"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-264"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Mozilla project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2015:0718", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "firefox-0:31.5.3-1.el5_11", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2015-03-24T00:00:00Z"}, {"advisory": "RHSA-2015:0718", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "firefox-0:31.5.3-1.el6_6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-03-24T00:00:00Z"}, {"advisory": "RHSA-2015:0718", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:31.5.3-3.el7_1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-03-24T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Privilege escalation through SVG navigation (MFSA 2015-28)", "id": "1204363", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1204363"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "verified"}, "details": ["Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey before 2.33.1 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving SVG hash navigation."], "name": "CVE-2015-0818", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2015-03-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-0818\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-0818\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2015-28"], "statement": "This issue does not affect the version of thunderbird package as shipped with Red Hat Enterprise Linux 5, 6 and 7.", "threat_severity": "Critical"}