The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is in the KEV database since May 25, 2022.

The EPSS score is 0.71568.

Exploitation active

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Canonical Subscribe
Ubuntu Linux Subscribe
Mozilla Subscribe
Firefox Subscribe
Firefox Os Subscribe
Opensuse Subscribe
Opensuse Subscribe
Oracle Subscribe
Solaris Subscribe
Redhat Subscribe
Enterprise Linux Subscribe
Enterprise Linux Desktop Subscribe
Enterprise Linux Eus Subscribe
Enterprise Linux Server Subscribe
Enterprise Linux Server Aus Subscribe
Enterprise Linux Server Tus Subscribe
Enterprise Linux Workstation Subscribe
Suse Subscribe
Linux Enterprise Debuginfo Subscribe
Linux Enterprise Desktop Subscribe
Linux Enterprise Server Subscribe
Linux Enterprise Software Development Kit Subscribe

Configuration 1 [-]

OR cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:mozilla:firefox_os:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*

Configuration 5 [-]

OR cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:6.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 6 [-]

OR cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp1:*:*:*:*:*:*
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp2:*:*:*:*:*:*
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp3:*:*:*:*:*:*
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:11:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:12:-:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp1:*:*:ltss:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:-:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*
cpe:2.3:o:suse:linux_enterprise_server:11:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:12:-:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 5
firefox-0:38.1.1-1.el5_11 cpe:/o:redhat:enterprise_linux:5 RHSA-2015:1581 2015-08-07T00:00:00Z
Red Hat Enterprise Linux 6
firefox-0:38.1.1-1.el6_7 cpe:/o:redhat:enterprise_linux:6 RHSA-2015:1581 2015-08-07T00:00:00Z
Red Hat Enterprise Linux 7
firefox-0:38.1.1-1.ael7b_1 cpe:/o:redhat:enterprise_linux:7 RHSA-2015:1581 2015-08-07T00:00:00Z

No data.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-2707-1 Firefox vulnerability
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-1581.html cve-icon cve-icon
http://www.mozilla.org/security/announce/2015/mfsa2015-78.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html cve-icon cve-icon
http://www.securityfocus.com/bid/76249 cve-icon cve-icon
http://www.securitytracker.com/id/1033216 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2707-1 cve-icon cve-icon
https://access.redhat.com/articles/1563163 cve-icon
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/ cve-icon cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=1178058 cve-icon cve-icon
https://bugzilla.mozilla.org/show_bug.cgi?id=1179262 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2015-4495 cve-icon
https://security.gentoo.org/glsa/201512-10 cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2015-4495 cve-icon
https://www.exploit-db.com/exploits/37772/ cve-icon cve-icon
https://www.mozilla.org/security/announce/2015/mfsa2015-78.html cve-icon
History

Wed, 22 Oct 2025 09:15:00 +0900

Type Values Removed Values Added
References

Wed, 22 Oct 2025 05:30:00 +0900

Type Values Removed Values Added
References

Wed, 22 Oct 2025 04:30:00 +0900

Type Values Removed Values Added
References

Wed, 30 Jul 2025 12:30:00 +0900

Type Values Removed Values Added
Weaknesses CWE-346

Fri, 07 Feb 2025 22:15:00 +0900

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2022-05-25'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 22 Oct 2024 23:00:00 +0900

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
Vendors & Products Mozilla firefox Esr

Wed, 14 Aug 2024 08:45:00 +0900

Type Values Removed Values Added
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2025-10-21T23:55:58.479Z

Reserved: 2015-06-10T00:00:00.000Z

Link: CVE-2015-4495

cve-icon Vulnrichment

Updated: 2024-08-06T06:18:11.155Z

cve-icon NVD

Status : Deferred

Published: 2015-08-08T00:59:04.597

Modified: 2025-10-22T00:15:43.610

Link: CVE-2015-4495

cve-icon Redhat

Severity : Important

Publid Date: 2015-08-06T00:00:00Z

Links: CVE-2015-4495 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses