CVE-2014-8639

CVSS v2.0 6.8 (Medium)

EPSS 1.78 % (88^th)

Affected Products 4

Advisories 10

Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server.

Weaknesses

CWE-NVD-Other

CVE Status: PUBLISHED
CNA: Mozilla Corporation
Published Date: 2015-01-14 11:59:07
(9 years ago)
Updated Date: 2017-09-08 01:29:26
(7 years ago)

Affected Products

Mozilla

Configuration #1

		CPE23	From	Up To
	Mozilla Seamonkey 2.31 and prior versions	cpe:2.3:a:mozilla:seamonkey		<= 2.31

Configuration #2

		CPE23	From	Up To
	Mozilla Firefox 34.0.5 and prior versions	cpe:2.3:a:mozilla:firefox		<= 34.0.5

Configuration #3

		CPE23	From	Up To
	Mozilla Firefox Esr 31.0	cpe:2.3:a:mozilla:firefox_esr:31.0
	Mozilla Firefox Esr 31.1.0	cpe:2.3:a:mozilla:firefox_esr:31.1.0
	Mozilla Firefox Esr 31.1.1	cpe:2.3:a:mozilla:firefox_esr:31.1.1
	Mozilla Firefox Esr 31.2	cpe:2.3:a:mozilla:firefox_esr:31.2
	Mozilla Firefox Esr 31.3.0	cpe:2.3:a:mozilla:firefox_esr:31.3.0

Configuration #4

		CPE23	From	Up To
	Mozilla Thunderbird 31.3.0 and prior versions	cpe:2.3:a:mozilla:thunderbird		<= 31.3.0