vendor:
Firefox
by:
joev
7.5
CVSS
HIGH
Privilege Escalation
264
CWE
Product Name: Firefox
Affected Version From: 31
Affected Version To: 34
Patch Exists: YES
Related CWE: CVE-2014-8636
CPE: firefox
Metasploit:
https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-8636/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-8636/, https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-8636/, https://www.rapid7.com/db/vulnerabilities/mfsa2015-09-cve-2014-8636/, https://www.rapid7.com/db/vulnerabilities/mozilla-seamonkey-cve-2014-8636/
Other Scripts:
https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/multi/browser/firefox_proxy_prototype, https://www.infosecmatter.com/nessus-plugin-library/?id=81123, https://www.infosecmatter.com/nessus-plugin-library/?id=80525, https://www.infosecmatter.com/nessus-plugin-library/?id=83676, https://www.infosecmatter.com/nessus-plugin-library/?id=80520, https://www.infosecmatter.com/nessus-plugin-library/?id=80843, https://www.infosecmatter.com/nessus-plugin-library/?id=83677, https://www.infosecmatter.com/nessus-plugin-library/?id=80548, https://www.infosecmatter.com/nessus-plugin-library/?id=82632, https://www.infosecmatter.com/list-of-metasploit-windows-exploits-detailed-spreadsheet/
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows, Linux, Mac
2014
Firefox Proxy Prototype Privileged Javascript Injection
This exploit gains remote code execution on Firefox 31-34 by abusing a bug in the XPConnect component and gaining a reference to the privileged chrome:// window. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
Mitigation:
Update Firefox to the latest version to patch this vulnerability.