CVE-2015-4495
CVE-2015-4495
In short
Firefox's PDF reader had a security flaw that allowed attackers to bypass protections meant to prevent websites from accessing files outside their domain. A malicious website could use specially crafted code to read your files or gain unauthorized access to your browser.
Technical detail
CVE-2015-4495 exploits a Same Origin Policy bypass in Firefox's PDF handling through crafted JavaScript interacting with native setters. The attack vector involves hosting malicious JavaScript that leverages the PDF reader's insufficient origin validation, potentially allowing file disclosure and privilege escalation without user interaction beyond visiting a compromised site.
Summary generated and translated by AI from the official description.
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote attackers to bypass the Same Origin Policy, and read arbitrary files or gain privileges, via vectors involving crafted JavaScript code and a native setter, as exploited in the wild in August 2015.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/vincd/CVE-2015-4495★ 1cve_referencewww.exploit-db.com/exploits/37772/unverifiedexploitdbwww.exploit-db.com/exploits/37772unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00009.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00010.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00014.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-08/msg00021.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-09/msg00016.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1581.htmlhttps://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/https://bugzilla.mozilla.org/show_bug.cgi?id=1178058https://bugzilla.mozilla.org/show_bug.cgi?id=1179262https://security.gentoo.org/glsa/201512-10https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-4495