What is CVE-2014-1524?

CVE-2014-1524 is a critical-severity vulnerability in Mozilla Firefox, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.8/10. Published 2014-04-30.

How severe is CVE-2014-1524?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Buffer overflow in Mozilla Firefox

CVE-2014-1524

The nsXBLProtoImpl::InstallImplementation function in Mozilla Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 does not properly check whether objects are XBL objects, which allows remot…

Vulnerability class: Buffer Overflow

EPSS: 0.064 (91.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Mozilla Firefox
Mozilla Seamonkey
Mozilla Thunderbird
Canonical Ubuntu_linux — versions 12.04, 12.10, 13.10
Debian Debian_linux — versions 7.0, 8.0
Fedoraproject Fedora — versions 19, 20
Opensuse — versions 11.4, 12.3, 13.1
Redhat Enterprise_linux_desktop — versions 5.0, 6.0
Redhat Enterprise_linux_eus — versions 6.5
Redhat Enterprise_linux_server — versions 5.0, 6.0

Weakness classification (CWE)

CWE-120 — Buffer Copy without Checking Size of Input (Classic Buffer Overflow)

References

RHSA-2014:0448 (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
FEDORA-2014-5833 (x_refsource_FEDORA, vendor-advisory, Mailing List, Third Party Advisory)
openSUSE-SU-2014:0602 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
openSUSE-SU-2014:0599 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
security@mozilla.org (x_refsource_CONFIRM, Exploit, Issue Tracking, Vendor Advisory)
openSUSE-SU-2014:0629 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
SUSE-SU-2014:0727 (vendor-advisory, Mailing List, Third Party Advisory, x_refsource_SUSE)
security@mozilla.org (x_refsource_CONFIRM, Vendor Advisory)
GLSA-201504-01 (vendor-advisory, Third Party Advisory, x_refsource_GENTOO)
1030165 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_SECTRACK)

Frequently asked questions

What is CVE-2014-1524?: CVE-2014-1524 is a critical-severity vulnerability in Mozilla Firefox, classified under Buffer Copy without Checking Size of Input (Classic Buffer Overflow). CVSS score: 9.8/10. Published 2014-04-30.
How severe is CVE-2014-1524?: Critical severity. CVSS v3 base score is 9.8 out of 10.