Arbitrary XSLT Code Execution Vulnerability in Mozilla Firefox and SeaMonkey
CVE-2014-1485 · HIGH Severity
AV:N/AC:L/AU:N/C:P/I:P/A:P
The Content Security Policy (CSP) implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to style-src directives instead of script-src directives, which might allow remote attackers to execute arbitrary XSLT code by leveraging insufficient style-src restrictions.
Learn more about our Cis Benchmark Audit For Mozilla Firefox.