CVE-2015-4495

HIGH KEV

Mozilla Firefox < 39.0.3 - Origin Validation Error

Title source: rule

Description

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

Exploits (3)

exploitdb WORKING POC
by Tantaryu MING · javascriptlocalmultiple
https://www.exploit-db.com/exploits/37772
nomisec WORKING POC 1 stars
by vincd · remote
https://github.com/vincd/CVE-2015-4495
metasploit WORKING POC
by Unknown, fukusa, Unknown · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/firefox_pdfjs_file_theft.rb

References (18)

Scores

CVSS v3 8.8
EPSS 0.7157
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-05-25
VulnCheck KEV 2015-08-05
InTheWild.io 2015-08-05
ENISA EUVD EUVD-2015-4515
CWE
CWE-346
Status published
Products (40)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.04
mozilla/firefox < 39.0.3 (2 CPE variants)
mozilla/firefox 38.0 - 38.1.1
mozilla/firefox_os < 2.2
opensuse/opensuse 13.1
opensuse/opensuse 13.2
oracle/solaris 11.3
redhat/enterprise_linux_desktop 5.0
... and 30 more
Published Aug 08, 2015
KEV Added May 25, 2022
Tracked Since Feb 18, 2026