Session Fixation Vulnerability in Mozilla Products
CVE-2014-8639

Currently unrated

Key Information:

Vendor: Mozilla
Status: Seamonkey
Vendor: CVE Published:; 14 January 2015

Summary

Mozilla products, including Firefox, Thunderbird, and SeaMonkey, contain a vulnerability that does not correctly interpret Set-Cookie headers in responses that necessitate proxy authentication (407 status code). This weakness enables remote HTTP proxy servers to exploit the situation by presenting cookie names that match the session cookie utilized by the origin server, potentially allowing attackers to hijack user sessions.

References

http://rhn.redhat.com/errata/RHSA-2015-0046.html

vendor-advisoryx_refsource_REDHAT

http://secunia.com/advisories/62242

third-party-advisoryx_refsource_SECUNIA

http://www.securitytracker.com/id/1031533

vdb-entryx_refsource_SECTRACK

Timeline

Vulnerability published
Jan 14, 2015
Vulnerability Reserved
Nov 6, 2014