CVE-2014-8636
72Vexday Risk Score
Patch now. It exploitation observed by VulnCheck and has a working public exploit.
ssvc Actepss 66%
from disclosure to weapon69 days
Published on NVDJan 14
1st PoC+69d
metasploitJan 20
VulnCheck+726d
exploitation probability
66%top 1% of all CVEs
observed exploitation
yesVulnCheck
2 public exploit(s)
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
Affected products
n/a · n/apublic PoCs found — 2
exploitdbwww.exploit-db.com/exploits/36480unverifiedcve_referencepacketstormsecurity.com/files/130972/Firefox-Proxy-Prototype-Privileged-Javascript-Injection.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
References
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00033.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-01/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00002.htmlhttp://packetstormsecurity.com/files/130972/Firefox-Proxy-Prototype-Privileged-Javascript-Injection.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=987794https://community.rapid7.com/community/metasploit/blog/2015/03/23/r7-2015-04-disclosure-mozilla-firefox-proxy-prototype-rce-cve-2014-8636http://secunia.com/advisories/62242http://secunia.com/advisories/62250http://secunia.com/advisories/62418http://secunia.com/advisories/62446