Cross-Site Scripting Vulnerabilities in Gaia's Search App for Mozilla Firefox OS
CVE-2015-2745

Currently unrated

Key Information:

Vendor: Mozilla
Status: Firefox Os
Vendor: CVE Published:; 8 August 2015

What is CVE-2015-2745?

Multiple cross-site scripting (XSS) vulnerabilities exist in the Search app within Gaia on Mozilla Firefox OS versions prior to 2.2. These vulnerabilities allow remote attackers to inject arbitrary HTML content. This occurs via the name or title fields in card content associated with a search link, which is improperly handled after specific user actions, such as pressing the HOME button or performing a Show Windows action. As a result, attackers could potentially embed malicious applications or spoof legitimate account-creation pages, leading to further exploitation.

References

http://www.mozilla.org/security/announce/2015/mfsa2015-73...

x_refsource_CONFIRM

https://github.com/mozilla-b2g/gaia/commit/0f72a8c31df9f3...

x_refsource_CONFIRM

https://bugzilla.mozilla.org/show_bug.cgi?id=1101158

x_refsource_CONFIRM

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 8, 2015
Vulnerability Reserved
Mar 25, 2015