Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
2

CVE-2015-4495

Disclosure Date: August 08, 2015
CVE-2015-4495 CVSS v3 Base Score: 8.8
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

Add Assessment

1
Technical Analysis

Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
auxiliary/gather/firefox_pdfjs_file_theft
Reporter
Unknown

Vendors

  • canonical,
  • mozilla,
  • opensuse,
  • oracle,
  • redhat,
  • suse

Products

  • enterprise linux desktop 5.0,
  • enterprise linux desktop 6.0,
  • enterprise linux desktop 7.0,
  • enterprise linux eus 6.7,
  • enterprise linux eus 7.1,
  • enterprise linux eus 7.2,
  • enterprise linux eus 7.3,
  • enterprise linux eus 7.4,
  • enterprise linux eus 7.5,
  • enterprise linux eus 7.6,
  • enterprise linux eus 7.7,
  • enterprise linux server 5.0,
  • enterprise linux server 6.0,
  • enterprise linux server 7.0,
  • enterprise linux server aus 7.3,
  • enterprise linux server aus 7.4,
  • enterprise linux server aus 7.6,
  • enterprise linux server aus 7.7,
  • enterprise linux server tus 7.3,
  • enterprise linux server tus 7.6,
  • enterprise linux server tus 7.7,
  • enterprise linux workstation 5.0,
  • enterprise linux workstation 6.0,
  • enterprise linux workstation 7.0,
  • firefox,
  • firefox esr,
  • firefox os,
  • linux enterprise debuginfo 11,
  • linux enterprise desktop 11,
  • linux enterprise desktop 12,
  • linux enterprise server 11,
  • linux enterprise server 12,
  • linux enterprise software development kit 11,
  • linux enterprise software development kit 12,
  • opensuse 13.1,
  • opensuse 13.2,
  • solaris 11.3,
  • ubuntu linux 12.04,
  • ubuntu linux 14.04,
  • ubuntu linux 15.04

Exploited in the Wild

Reported by:
Technical Analysis