CVE-2014-1480

high

Description

The file-download implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 does not properly restrict the timing of button selections, which allows remote attackers to conduct clickjacking attacks, and trigger unintended launching of a downloaded file, via a crafted web site.

References

https://security.gentoo.org/glsa/201504-01

https://exchange.xforce.ibmcloud.com/vulnerabilities/90897

https://bugzilla.mozilla.org/show_bug.cgi?id=916726

http://www.ubuntu.com/usn/USN-2102-2

http://www.ubuntu.com/usn/USN-2102-1

http://www.securitytracker.com/id/1029720

http://www.securitytracker.com/id/1029717

http://www.securityfocus.com/bid/65331

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.mozilla.org/security/announce/2014/mfsa2014-03.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html

http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html

Details

Source: Mitre, NVD

Published: 2014-02-06

Updated: 2020-08-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Severity: High