Red Hat Bugzilla – Bug 1252288
CVE-2015-4483 Mozilla: Feed: protocol with POST bypasses mixed content protections (MFSA 2015-86)
Last modified: 2015-11-24 07:23:42 EST
Security researcher Masato Kinugawa reported that opening a target page using a POST to the url prefixed with the feed: protocol disables the mixed content blocker for that page. This could allow for the risk of a man-in-the-middle (MITM) scripting attack on pages that accidentally include insecure content which would otherwise be blocked.
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Masato Kinugawa as the original reporter.
This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.