Arbitrary XSLT Code Execution Vulnerability in Mozilla Firefox and SeaMonkey

Arbitrary XSLT Code Execution Vulnerability in Mozilla Firefox and SeaMonkey

CVE-2014-1485 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions.

Learn more about our Cis Benchmark Audit For Mozilla Firefox.