Add mfsa for PDF reader
This commit is contained in:
Родитель
9b9036c7ee
Коммит
ded022cb1f
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
announced: August 6, 2015
|
||||
fixed_in:
|
||||
- Firefox 39.0.3
|
||||
- Firefox ESR 38.1.1
|
||||
impact: Critical
|
||||
reporter: Cody Crews
|
||||
title: Same origin violation and local file stealing via PDF reader
|
||||
---
|
||||
|
||||
<h3>Description</h3>
|
||||
|
||||
<p>Security researcher <strong>Cody Crews</strong> reported on a way to
|
||||
violate the same origin policy and inject script into a non-privileged part
|
||||
of the built-in PDF Viewer. This would allow an attacker to read and steal
|
||||
sensitive local files on the victim's computer.
|
||||
</p>
|
||||
|
||||
<p>Mozilla has received reports that an exploit based on this vulnerability
|
||||
has been found in the wild.
|
||||
</p>
|
||||
|
||||
<h3>References</h3>
|
||||
|
||||
<ul>
|
||||
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1178058">
|
||||
It's possible to read local files or perform privilege escalation by
|
||||
using a native setter</a>
|
||||
(<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495"
|
||||
class="ex-ref">CVE-2015-4495</a>)</li>
|
||||
<li><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1179262">
|
||||
Remove PlayPreview registration from PDF Viewer</a></li>
|
||||
</ul>
|
Загрузка…
Ссылка в новой задаче