CVE-2014-1479
Description
System Only Wrapper (SOW) in Firefox <27, Thunderbird <24.3, SeaMonkey <2.24 allows XBL content scope bypass, enabling cloning of restricted XUL content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
System Only Wrapper (SOW) in Firefox <27, Thunderbird <24.3, SeaMonkey <2.24 allows XBL content scope bypass, enabling cloning of restricted XUL content.
Vulnerability
The System Only Wrapper (SOW) implementation in Mozilla Firefox before version 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 fails to properly restrict cloning operations involving XBL content scopes [1][2][3]. This flaw allows remote attackers to bypass intended security restrictions on XUL content by exploiting vectors that manipulate XBL content scopes [4]. The vulnerability, tracked as CVE-2014-1479 and reported by Cody Crews, enables the theft (cloning) of native anonymous content, which should be protected from web-accessible scripts [4].
Exploitation
An attacker can exploit this vulnerability by crafting malicious web content that triggers the cloning of native anonymous XUL content through XBL scopes [4]. The attacker does not require any special authentication or user privileges; the exploitation occurs when a user visits a specially crafted web page using a vulnerable browser [1][2]. The attacker must induce the user to open the malicious content. In the case of Thunderbird, scripting must be enabled in the mail client for successful exploitation [3].
Impact
Successful exploitation allows an attacker to bypass the XUL content restrictions that SOW is intended to enforce [1][2][3]. This can lead to a denial of service (crash) of the browser or mail client, and when combined with other vulnerabilities, could potentially enable arbitrary code execution with the privileges of the user running the application [1][3]. Additionally, the flaw could be used to steal confidential data from the user's session [3].
Mitigation
Mozilla addressed this vulnerability in Firefox 27.0, Firefox ESR 24.3, Thunderbird 24.3, and SeaMonkey 2.24 [1][2][3]. Red Hat released updated packages (RHSA-2014:0132 and RHSA-2014:0133) for Red Hat Enterprise Linux 5 and 6 [1][2]. Ubuntu issued USN-2119-1 covering Thunderbird on Ubuntu 12.04 LTS, 13.10, and 13.04 [3]. Users should update to the fixed versions as soon as possible. No workaround is available beyond the patched release.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
33cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <27.0
- (no CPE)range: <24.3
- (no CPE)range: <27.0
cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*range: <2.24
- (no CPE)range: <2.24
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <24.3
- (no CPE)range: <24.3
- cpe:2.3:a:suse:suse_linux_enterprise_software_development_kit:11.0:sp3:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:6.5:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_eus:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:-:*:*+ 1 more
- cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:-:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:11:sp3:*:*:*:vmware:*:*
- osv-coords3 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweed
< 128.5.1-1.1+ 2 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 50.1.0-1.1
- (no CPE)range: < 45.5.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
33- bugzilla.mozilla.org/show_bug.cginvdExploitIssue TrackingVendor Advisory
- lists.fedoraproject.org/pipermail/package-announce/2014-February/127966.htmlnvdMailing ListThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2014-February/129218.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.htmlnvdMailing ListThird Party Advisory
- rhn.redhat.com/errata/RHSA-2014-0132.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2014-0133.htmlnvdThird Party Advisory
- www.debian.org/security/2014/dsa-2858nvdThird Party Advisory
- www.mozilla.org/security/announce/2014/mfsa2014-02.htmlnvdVendor Advisory
- www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/65320nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1029717nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1029720nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1029721nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-2102-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-2102-2nvdThird Party Advisory
- www.ubuntu.com/usn/USN-2119-1nvdThird Party Advisory
- exchange.xforce.ibmcloud.com/vulnerabilities/90898nvdThird Party AdvisoryVDB Entry
- security.gentoo.org/glsa/201504-01nvdThird Party Advisory
- download.novell.com/DownloadnvdBroken Link
- download.novell.com/DownloadnvdBroken Link
- osvdb.org/102866nvdBroken Link
- secunia.com/advisories/56706nvdBroken Link
- secunia.com/advisories/56761nvdBroken Link
- secunia.com/advisories/56763nvdBroken Link
- secunia.com/advisories/56767nvdBroken Link
- secunia.com/advisories/56787nvdBroken Link
- secunia.com/advisories/56858nvdBroken Link
- secunia.com/advisories/56888nvdBroken Link
- secunia.com/advisories/56922nvdBroken Link
- 8pecxstudios.comnvdBroken LinkURL Repurposed
News mentions
0No linked articles in our index yet.