Impact
If at least one mod makes use of the HTTP API (access is granted via secure.http_mods), then a different, untrusted mod can intercept the API functions and also receive access to the HTTP API.
The HTTP API has the ability to make arbitrary HTTP requests (GET/POST or other methods) and initiate FTP transactions to hosts on any network(s) the user's computer is connected to.
Patches
8c99f22
Workarounds
If feasible, disable access to the HTTP API for all mods by clearing the secure.http_mods setting.
References
#11867
luk3yx Analyst
Impact
If at least one mod makes use of the HTTP API (access is granted via
secure.http_mods), then a different, untrusted mod can intercept the API functions and also receive access to the HTTP API.The HTTP API has the ability to make arbitrary HTTP requests (GET/POST or other methods) and initiate FTP transactions to hosts on any network(s) the user's computer is connected to.
Patches
8c99f22
Workarounds
If feasible, disable access to the HTTP API for all mods by clearing the
secure.http_modssetting.References
#11867