CVE-2015-4495
Summary
| CVE | CVE-2015-4495 |
|---|---|
| State | PUBLISHED |
| Assigner | mozilla |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-08-08 00:59:04 UTC |
| Updated | 2026-04-22 10:36:16 UTC |
| Description | The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.715680000 probability, percentile 0.987390000 (date 2026-04-24)
CISA KEV: Listed on 2022-05-25; due 2022-06-15; ransomware use Unknown
Problem Types: NVD-CWE-noinfo | CWE-346 | n/a | CWE-346 CWE-346 Origin Validation Error
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | ADP | DECLARED | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 4.3 | AV:N/AC:M/Au:N/C:P/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
NoneAvailability
NoneAV:N/AC:M/Au:N/C:P/I:N/A:N
CISA Known Exploited Vulnerability
| Vendor | Mozilla |
|---|---|
| Product | Firefox |
| Name | Mozilla Firefox Security Feature Bypass Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2015-4495 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 12.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 14.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 15.04 | All | All | All |
| Application | Mozilla | Firefox | All | All | All | All |
| Application | Mozilla | Firefox | All | All | All | All |
| Operating System | Mozilla | Firefox Os | All | All | All | All |
| Operating System | Opensuse | Opensuse | 13.1 | All | All | All |
| Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
| Operating System | Oracle | Solaris | 11.3 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 5.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 6.7 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 7.1 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 7.2 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 7.3 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 7.4 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 7.5 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 7.6 | All | All | All |
| Operating System | Redhat | Enterprise Linux Eus | 7.7 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 5.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server Aus | 7.3 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server Aus | 7.4 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server Aus | 7.6 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server Aus | 7.7 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server Tus | 7.3 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server Tus | 7.6 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server Tus | 7.7 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 5.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 7.0 | All | All | All |
| Application | Suse | Linux Enterprise Debuginfo | 11 | sp1 | All | All |
| Application | Suse | Linux Enterprise Debuginfo | 11 | sp2 | All | All |
| Application | Suse | Linux Enterprise Debuginfo | 11 | sp3 | All | All |
| Application | Suse | Linux Enterprise Debuginfo | 11 | sp4 | All | All |
| Operating System | Suse | Linux Enterprise Desktop | 11 | sp3 | All | All |
| Operating System | Suse | Linux Enterprise Desktop | 11 | sp4 | All | All |
| Operating System | Suse | Linux Enterprise Desktop | 12 | - | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp1 | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp2 | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp3 | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp3 | All | All |
| Operating System | Suse | Linux Enterprise Server | 11 | sp4 | All | All |
| Operating System | Suse | Linux Enterprise Server | 12 | - | All | All |
| Operating System | Suse | Linux Enterprise Software Development Kit | 11 | sp3 | All | All |
| Operating System | Suse | Linux Enterprise Software Development Kit | 11 | sp4 | All | All |
| Operating System | Suse | Linux Enterprise Software Development Kit | 12 | - | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [security-announce] SUSE-SU-2015:1380-1: critical: Security update for M | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Mozilla Firefox PDF Viewer Same-Origin Bypass Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Broken Link, Third Party Advisory, VDB Entry |
| [security-announce] SUSE-SU-2015:1528-1: important: Security update for | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| www.cisa.gov/known-exploited-vulnerabilities-catalog | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | www.cisa.gov | US Government Resource |
| Same origin violation and local file stealing via PDF reader — Mozilla | af854a3a-2127-422b-91ae-364da2661108 | www.mozilla.org | Vendor Advisory |
| [security-announce] openSUSE-SU-2015:1389-1: important: Security update | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Firefox < 39.03 - pdf.js Same Origin Policy Exploit - Exploits Database | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| USN-2707-1: Firefox vulnerability | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | Third Party Advisory |
| [security-announce] SUSE-SU-2015:1449-1: important: Security update for | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Mozilla Firefox CVE-2015-4495 Same Origin Policy Security Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Broken Link, Third Party Advisory, VDB Entry |
| [security-announce] SUSE-SU-2015:1379-1: critical: Security update for M | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| [security-announce] openSUSE-SU-2015:1390-1: important: Security update | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| 1179262 – Remove PlayPreview registration from PDF Viewer | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.mozilla.org | Issue Tracking |
| Scheduled Maintenance | af854a3a-2127-422b-91ae-364da2661108 | bugzilla.mozilla.org | Issue Tracking |
| Firefox exploit found in the wild | Mozilla Security Blog | af854a3a-2127-422b-91ae-364da2661108 | blog.mozilla.org | Issue Tracking, Vendor Advisory |
| Mozilla Products: Multiple vulnerabilities (GLSA 201512-10) — Gentoo Security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| Oracle Solaris Bulletin - April 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2022-05-25T00:00:00.000Z | CVE-2015-4495 added to CISA KEV |
There are currently no legacy QID mappings associated with this CVE.