CVE-2015-4495
Summary
| CVE | CVE-2015-4495 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-08-08 00:59:00 UTC |
| Updated | 2023-09-12 14:55:00 UTC |
| Description | The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015. |
Risk And Classification
EPSS: 0.715680000 probability, percentile 0.987180000 (date 2026-04-01)
CISA KEV: Listed on 2022-05-25; due 2022-06-15; ransomware use Unknown
Problem Types: CWE-200
CISA Known Exploited Vulnerability
| Vendor | Mozilla |
|---|---|
| Product | Firefox |
| Name | Mozilla Firefox Security Feature Bypass Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2015-4495 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.04 | All | All | All |
| Application | Mozilla | Firefox | All | All | All | All |
| Application | Mozilla | Firefox Esr | 38.0 | All | All | All |
| Application | Mozilla | Firefox Esr | 38.0.1 | All | All | All |
| Application | Mozilla | Firefox Esr | 38.0.5 | All | All | All |
| Application | Mozilla | Firefox Esr | 38.1.0 | All | All | All |
| Application | Mozilla | Firefox Esr | 38.0 | All | All | All |
| Application | Mozilla | Firefox Esr | 38.0.1 | All | All | All |
| Application | Mozilla | Firefox Esr | 38.0.5 | All | All | All |
| Application | Mozilla | Firefox Esr | 38.1.0 | All | All | All |
| Operating System | Mozilla | Firefox Os | All | All | All | All |
| Operating System | Novell | Suse Linux Enterprise Desktop | 12.0 | All | All | All |
| Operating System | Novell | Suse Linux Enterprise Desktop | 12.0 | All | All | All |
| Operating System | Novell | Suse Linux Enterprise Server | 12.0 | All | All | All |
| Operating System | Novell | Suse Linux Enterprise Server | 12.0 | All | All | All |
| Application | Novell | Suse Linux Enterprise Software Development Kit | 12.0 | All | All | All |
| Operating System | Novell | Suse Linux Enterprise Software Development Kit | 12.0 | All | All | All |
| Operating System | Novell | Suse Linux Enterprise Software Development Kit | 12.0 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.1 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.1 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
| Operating System | Oracle | Solaris | 11.3 | All | All | All |
| Operating System | Oracle | Solaris | 11.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Oracle Solaris Bulletin - April 2016 | CONFIRM | www.oracle.com | Third Party Advisory |
| Firefox exploit found in the wild | Mozilla Security Blog | CONFIRM | blog.mozilla.org | Vendor Advisory |
| Same origin violation and local file stealing via PDF reader — Mozilla | CONFIRM | www.mozilla.org | Vendor Advisory |
| 1179262 – Remove PlayPreview registration from PDF Viewer | CONFIRM | bugzilla.mozilla.org | Issue Tracking |
| Firefox < 39.03 - pdf.js Same Origin Policy Exploit - Exploits Database | EXPLOIT-DB | www.exploit-db.com | |
| [security-announce] openSUSE-SU-2015:1390-1: important: Security update | SUSE | lists.opensuse.org | Third Party Advisory |
| [security-announce] SUSE-SU-2015:1380-1: critical: Security update for M | SUSE | lists.opensuse.org | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | Third Party Advisory |
| [security-announce] SUSE-SU-2015:1379-1: critical: Security update for M | SUSE | lists.opensuse.org | Third Party Advisory |
| Mozilla Firefox PDF Viewer Same-Origin Bypass Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker | SECTRACK | www.securitytracker.com | Third Party Advisory, VDB Entry |
| [security-announce] SUSE-SU-2015:1528-1: important: Security update for | SUSE | lists.opensuse.org | |
| USN-2707-1: Firefox vulnerability | Ubuntu | UBUNTU | www.ubuntu.com | Third Party Advisory |
| [security-announce] SUSE-SU-2015:1449-1: important: Security update for | SUSE | lists.opensuse.org | |
| [security-announce] openSUSE-SU-2015:1389-1: important: Security update | SUSE | lists.opensuse.org | Third Party Advisory |
| Mozilla Products: Multiple vulnerabilities (GLSA 201512-10) — Gentoo Security | GENTOO | security.gentoo.org | |
| Scheduled Maintenance | CONFIRM | bugzilla.mozilla.org | Issue Tracking |
| Mozilla Firefox CVE-2015-4495 Same Origin Policy Security Bypass Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.