CVE-2015-4495 - Vulnerability Details

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is in the KEV database since May 25, 2022.

The EPSS score is 0.71568.

Exploitation active

Automatable no

Technical Impact total

Vendors	Products
Canonical	Ubuntu Linux
Mozilla	Firefox Firefox Os
Opensuse	Opensuse
Oracle	Solaris
Redhat	Enterprise Linux Enterprise Linux Desktop Enterprise Linux Eus Enterprise Linux Server Enterprise Linux Server Aus Enterprise Linux Server Tus Enterprise Linux Workstation
Suse	Linux Enterprise Debuginfo Linux Enterprise Desktop Linux Enterprise Server Linux Enterprise Software Development Kit

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox::::::::

Configuration 2 [-]

cpe:2.3:o:mozilla:firefox_os:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:15.04:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:6.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.3:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 6 [-]

OR	cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp1::::::
	cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp2::::::
	cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp3::::::
	cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4::::::
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
	cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3::::::
	cpe:2.3:o:suse:linux_enterprise_desktop:11:sp4::::::
	cpe:2.3:o:suse:linux_enterprise_desktop:12:-::::::
	cpe:2.3:o:suse:linux_enterprise_server:11:sp1:::ltss:::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp2:::ltss:::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp3::::-::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp3::::vmware::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp4::::::
	cpe:2.3:o:suse:linux_enterprise_server:12:-::::::
	cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3::::::
	cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp4::::::
	cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 5
firefox-0:38.1.1-1.el5_11	cpe:/o:redhat:enterprise_linux:5	RHSA-2015:1581	2015-08-07T00:00:00Z
Red Hat Enterprise Linux 6
firefox-0:38.1.1-1.el6_7	cpe:/o:redhat:enterprise_linux:6	RHSA-2015:1581	2015-08-07T00:00:00Z
Red Hat Enterprise Linux 7
firefox-0:38.1.1-1.ael7b_1	cpe:/o:redhat:enterprise_linux:7	RHSA-2015:1581	2015-08-07T00:00:00Z

No data.

Advisories

Source	ID	Title
Ubuntu USN	USN-2707-1	Firefox vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html
http://rhn.redhat.com/errata/RHSA-2015-1581.html
http://www.mozilla.org/security/announce/2015/mfsa2015-78.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/76249
http://www.securitytracker.com/id/1033216
http://www.ubuntu.com/usn/USN-2707-1
https://access.redhat.com/articles/1563163
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
https://bugzilla.mozilla.org/show_bug.cgi?id=1178058
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262
https://nvd.nist.gov/vuln/detail/CVE-2015-4495
https://security.gentoo.org/glsa/201512-10
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495
https://www.cve.org/CVERecord?id=CVE-2015-4495
https://www.exploit-db.com/exploits/37772/
https://www.mozilla.org/security/announce/2015/mfsa2015-78.html

History

Wed, 22 Oct 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495

Tue, 21 Oct 2025 20:30:00 +0000

Type	Values Removed	Values Added
References	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495

Tue, 21 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495

Wed, 30 Jul 2025 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-346

Fri, 07 Feb 2025 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-05-25'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 22 Oct 2024 14:00:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:mozilla:firefox_esr::::::::
Vendors & Products	Mozilla firefox Esr

Tue, 13 Aug 2024 23:45:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2015-08-08T00:00:00.000Z

Updated: 2025-10-21T23:55:58.479Z

Reserved: 2015-06-10T00:00:00.000Z

Link: CVE-2015-4495

Vulnrichment

Updated: 2024-08-06T06:18:11.155Z

NVD

Status : Deferred

Published: 2015-08-08T00:59:04.597

Modified: 2025-10-22T00:15:43.610

Link: CVE-2015-4495

Redhat

Severity : Important

Publid Date: 2015-08-06T00:00:00Z

Links: CVE-2015-4495 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation active

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object