CVE-2014-1539 - Vulnerability Details - OpenCVE

Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do not ensure visibility of the cursor after interaction with a Flash object and a DIV element, which makes it easier for remote attackers to conduct clickjacking attacks via JavaScript code that produces a fake cursor image.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apple	Mac Os X
Mozilla	Firefox Thunderbird

Configuration 1 [-]

AND

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird:24.0:::::::*
	cpe:2.3:a:mozilla:thunderbird:24.0.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:24.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:24.1.1:::::::*
	cpe:2.3:a:mozilla:thunderbird:24.2:::::::*
	cpe:2.3:a:mozilla:thunderbird:24.3:::::::*
	cpe:2.3:a:mozilla:thunderbird:24.4:::::::*
	cpe:2.3:a:mozilla:thunderbird:24.5:::::::*

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-updates/2014-06/msg00040.html
http://lists.opensuse.org/opensuse-updates/2014-07/msg00001.html
http://secunia.com/advisories/59171
http://secunia.com/advisories/59387
http://secunia.com/advisories/59486
http://www.mozilla.org/security/announce/2014/mfsa2014-50.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/67967
http://www.securitytracker.com/id/1030388
https://bugzilla.mozilla.org/show_bug.cgi?id=995603
https://security.gentoo.org/glsa/201504-01

History

No history.

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2014-06-11T10:00:00

Updated: 2024-08-06T09:42:36.301Z

Reserved: 2014-01-16T00:00:00

Link: CVE-2014-1539

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-06-11T10:57:17.893

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-1539

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-06-10T00:00:00", "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do not ensure visibility of the cursor after interaction with a Flash object and a DIV element, which makes it easier for remote attackers to conduct clickjacking attacks via JavaScript code that produces a fake cursor image."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-27T18:57:01", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"name": "openSUSE-SU-2014:0819", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-06/msg00040.html"}, {"name": "59387", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59387"}, {"name": "1030388", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1030388"}, {"name": "openSUSE-SU-2014:0855", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-07/msg00001.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-50.html"}, {"name": "GLSA-201504-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201504-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "67967", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/67967"}, {"name": "59171", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59171"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=995603"}, {"name": "59486", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/59486"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2014-1539", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do not ensure visibility of the cursor after interaction with a Flash object and a DIV element, which makes it easier for remote attackers to conduct clickjacking attacks via JavaScript code that produces a fake cursor image."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2014:0819", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-06/msg00040.html"}, {"name": "59387", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/59387"}, {"name": "1030388", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1030388"}, {"name": "openSUSE-SU-2014:0855", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-07/msg00001.html"}, {"name": "http://www.mozilla.org/security/announce/2014/mfsa2014-50.html", "refsource": "CONFIRM", "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-50.html"}, {"name": "GLSA-201504-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201504-01"}, {"name": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "67967", "refsource": "BID", "url": "http://www.securityfocus.com/bid/67967"}, {"name": "59171", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/59171"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=995603", "refsource": "CONFIRM", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=995603"}, {"name": "59486", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/59486"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:42:36.301Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2014:0819", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-06/msg00040.html"}, {"name": "59387", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59387"}, {"name": "1030388", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1030388"}, {"name": "openSUSE-SU-2014:0855", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-07/msg00001.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-50.html"}, {"name": "GLSA-201504-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201504-01"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "67967", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/67967"}, {"name": "59171", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59171"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=995603"}, {"name": "59486", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/59486"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2014-1539", "datePublished": "2014-06-11T10:00:00", "dateReserved": "2014-01-16T00:00:00", "dateUpdated": "2024-08-06T09:42:36.301Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8B8514D-277D-4D79-84E3-73BF050CE927", "versionEndIncluding": "29.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0B063ED-8BD8-4E14-8990-D23CCB0A20BB", "versionEndIncluding": "24.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.0:*:*:*:*:*:*:*", "matchCriteriaId": "7CCAFDF1-10BB-4AB0-9C9D-E99DDBA901BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "31EE89B8-705F-4A05-9015-3D6E81D394E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.1:*:*:*:*:*:*:*", "matchCriteriaId": "E30AE3D4-6A3E-435E-BDBF-1A9A17297433", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "B0C705A0-62C0-485A-A077-C7DD426F80B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.2:*:*:*:*:*:*:*", "matchCriteriaId": "66C802A7-E4D5-4D2D-9CE8-749A75DF7461", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.3:*:*:*:*:*:*:*", "matchCriteriaId": "4E8A57FA-AC27-4288-8E42-97DECF3B993C", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.4:*:*:*:*:*:*:*", "matchCriteriaId": "1D474B11-98D0-41A3-A98B-CFB6955264AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:24.5:*:*:*:*:*:*:*", "matchCriteriaId": "6BBD940E-9EF0-460B-A721-E70C719F2244", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "matchCriteriaId": "0FF5999A-9D12-4CDD-8DE9-A89C10B2D574", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do not ensure visibility of the cursor after interaction with a Flash object and a DIV element, which makes it easier for remote attackers to conduct clickjacking attacks via JavaScript code that produces a fake cursor image."}, {"lang": "es", "value": "Mozilla Firefox anterior a 30.0 y Thunderbird hasta 24.6 en OS X no aseguran la visibilidad del cursor despu\u00e9s de una interacci\u00f3n con un objeto Flash y un elemento DIV, lo que facilita a atacantes remotos realizar ataques de clickjacking a trav\u00e9s de c\u00f3digo JavaScript que produce un imagen del cursor falso."}], "id": "CVE-2014-1539", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-06-11T10:57:17.893", "references": [{"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-updates/2014-06/msg00040.html"}, {"source": "security@mozilla.org", "url": "http://lists.opensuse.org/opensuse-updates/2014-07/msg00001.html"}, {"source": "security@mozilla.org", "url": "http://secunia.com/advisories/59171"}, {"source": "security@mozilla.org", "url": "http://secunia.com/advisories/59387"}, {"source": "security@mozilla.org", "url": "http://secunia.com/advisories/59486"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-50.html"}, {"source": "security@mozilla.org", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "security@mozilla.org", "url": "http://www.securityfocus.com/bid/67967"}, {"source": "security@mozilla.org", "url": "http://www.securitytracker.com/id/1030388"}, {"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=995603"}, {"source": "security@mozilla.org", "url": "https://security.gentoo.org/glsa/201504-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2014-06/msg00040.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2014-07/msg00001.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/59171"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/59387"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://secunia.com/advisories/59486"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.mozilla.org/security/announce/2014/mfsa2014-50.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/67967"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1030388"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=995603"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201504-01"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}