CVE-2015-4518

EUVD-2015-4538
The Reader View implementation in Mozilla Firefox before 42.0 has an improper whitelist, which makes it easier for remote attackers to bypass the Content Security Policy (CSP) protection mechanism and conduct cross-site scripting (XSS) attacks via vectors involving SVG animations and the about:reader URL.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
Affected Products (NVD)
VendorProductVersion
mozillafirefox
𝑥
≤ 41.0.2
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
firefox
precise
Fixed 42.0+build2-0ubuntu0.12.04.1
released
trusty
Fixed 42.0+build2-0ubuntu0.14.04.1
released
vivid
Fixed 42.0+build2-0ubuntu0.15.04.1
released
wily
Fixed 42.0+build2-0ubuntu0.15.10.1
released
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html
http://www.mozilla.org/security/announce/2015/mfsa2015-118.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securitytracker.com/id/1034069
http://www.ubuntu.com/usn/USN-2785-1
https://bugzilla.mozilla.org/show_bug.cgi?id=1136692
https://bugzilla.mozilla.org/show_bug.cgi?id=1182778
https://security.gentoo.org/glsa/201512-10
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00015.html
http://www.mozilla.org/security/announce/2015/mfsa2015-118.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securitytracker.com/id/1034069
http://www.ubuntu.com/usn/USN-2785-1
https://bugzilla.mozilla.org/show_bug.cgi?id=1136692
https://bugzilla.mozilla.org/show_bug.cgi?id=1182778
https://security.gentoo.org/glsa/201512-10