Launchpad.net

CVE 2014-1485

The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions.

Related bugs and status

CVE-2014-1485 (Candidate) is related to these bugs:

Bug #469752: firefox,3.5/3.6 startup-notification bug

		In	Importance	Status
469752	firefox,3.5/3.6 startup-notification bug	firefox-3.5 (Ubuntu)	Medium	Invalid
469752	firefox,3.5/3.6 startup-notification bug	Mozilla Firefox	Medium	Fix Released
469752	firefox,3.5/3.6 startup-notification bug	firefox-3.5 (Suse)	Medium	Fix Released
469752	firefox,3.5/3.6 startup-notification bug	firefox (Ubuntu)	Medium	Fix Released
469752	firefox,3.5/3.6 startup-notification bug	firefox (Ubuntu Lucid)	Medium	Fix Released
469752	firefox,3.5/3.6 startup-notification bug	firefox-3.5 (Ubuntu Lucid)	Medium	Invalid

Bug #1274468: Update to 27.0

Summary				In	Importance	Status
	1274468	Update to 27.0		firefox (Ubuntu)	Low	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://www.mozilla.org...
CONFIRM: https://bugzilla.mozil...
CONFIRM: https://8pecxstudios.c...
SUSE: SUSE-SU-2014:0248
UBUNTU: USN-2102-1
SECUNIA: 56706
SUSE: openSUSE-SU-2014:0212
UBUNTU: USN-2102-2
SUSE: openSUSE-SU-2014:0419
CONFIRM: http://www.oracle.com/...
GENTOO: GLSA-201504-01
BID: 65322
OSVDB: 102871
SECTRACK: 1029717
SECTRACK: 1029720
SECUNIA: 56767
SECUNIA: 56787
SECUNIA: 56888
XF: firefox-xslt-cve201414...