Search for vulnerabilities
Vulnerability details: VCID-wywz-9zta-efdm
Vulnerability ID VCID-wywz-9zta-efdm
Aliases CVE-2015-0816
Summary Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled incorrectly and these restrictions could be bypassed if this flaw was combined with a separate vulnerability allowing for same-origin policy violation, it could be used to run arbitrary code. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.
Status Published
Exploitability 2.0
Weighted Severity 0.8
Risk 1.6
Affected and Fixed Packages Package Details
Weaknesses (1)
Data source Metasploit
Description This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability.
Note
Reliability:
  - unknown-reliability
Stability:
  - unknown-stability
SideEffects:
  - unknown-side-effects
Ransomware campaign use Unknown
Source publication date March 31, 2015
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb
Data source Exploit-DB
Date added Aug. 24, 2015
Description Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)
Ransomware campaign use Known
Source publication date Aug. 24, 2015
Exploit type remote
Platform multiple
Source update date Oct. 27, 2016
Exploit Prediction Scoring System (EPSS)
Percentile 0.99315
EPSS Score 0.8537
Published At Aug. 16, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:10:52.495123+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2015/mfsa2015-33.md 37.0.0