1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
PublicDateAtUSN: 2015-08-11
Candidate: CVE-2015-4490
PublicDate: 2015-08-15
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4490
https://www.mozilla.org/en-US/security/advisories/mfsa2015-91/
http://www.ubuntu.com/usn/usn-2702-1
Description:
The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in
Mozilla Firefox before 40.0 does not implement the Content Security Policy
Level 2 exceptions for the blob, data, and filesystem URL schemes during
wildcard source-expression matching, which might make it easier for remote
attackers to conduct cross-site scripting (XSS) attacks by leveraging
unexpected policy-enforcement behavior.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: chrisccoulson
Patches_firefox:
upstream_firefox: released (40.0)
precise_firefox: released (40.0+build4-0ubuntu0.12.04.1)
trusty_firefox: released (40.0+build4-0ubuntu0.14.04.1)
vivid_firefox: released (40.0+build4-0ubuntu0.15.04.1)
devel_firefox: released (40.0+build4-0ubuntu1)
|