Search for vulnerabilities
Vulnerability ID | VCID-wywz-9zta-efdm |
Aliases |
CVE-2015-0816
|
Summary | Security researcher Mariusz Mlynski reported, through HP Zero Day Initiative's Pwn2Own contest, that documents loaded though a resource: URL, such as Mozilla's PDF.js PDF file viewer, were able to subsequently load privileged chrome pages. The privilege restrictions on resource: URLs was handled incorrectly and these restrictions could be bypassed if this flaw was combined with a separate vulnerability allowing for same-origin policy violation, it could be used to run arbitrary code. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
Status | Published |
Exploitability | 2.0 |
Weighted Severity | 0.8 |
Risk | 1.6 |
Affected and Fixed Packages | Package Details |
System | Score | Found at |
---|---|---|
epss | 0.8537 | https://api.first.org/data/v1/epss?cve=CVE-2015-0816 |
epss | 0.8537 | https://api.first.org/data/v1/epss?cve=CVE-2015-0816 |
epss | 0.8537 | https://api.first.org/data/v1/epss?cve=CVE-2015-0816 |
epss | 0.8537 | https://api.first.org/data/v1/epss?cve=CVE-2015-0816 |
epss | 0.8537 | https://api.first.org/data/v1/epss?cve=CVE-2015-0816 |
generic_textual | none | https://www.mozilla.org/en-US/security/advisories/mfsa2015-33 |
Reference id | Reference type | URL |
---|---|---|
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-0816.json | ||
https://api.first.org/data/v1/epss?cve=CVE-2015-0816 | ||
1207072 | https://bugzilla.redhat.com/show_bug.cgi?id=1207072 | |
CVE-2015-0816 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0816 | |
CVE-2015-0816;CVE-2015-0802;OSVDB-120107;OSVDB-119753 | Exploit | https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/37958.rb |
mfsa2015-33 | https://www.mozilla.org/en-US/security/advisories/mfsa2015-33 | |
RHSA-2015:0766 | https://access.redhat.com/errata/RHSA-2015:0766 | |
RHSA-2015:0771 | https://access.redhat.com/errata/RHSA-2015:0771 | |
USN-2550-1 | https://usn.ubuntu.com/2550-1/ | |
USN-2552-1 | https://usn.ubuntu.com/2552-1/ |
Data source | Metasploit |
---|---|
Description | This module gains remote code execution on Firefox 35-36 by abusing a privilege escalation bug in resource:// URIs. PDF.js is used to exploit the bug. This exploit requires the user to click anywhere on the page to trigger the vulnerability. |
Note | Reliability: - unknown-reliability Stability: - unknown-stability SideEffects: - unknown-side-effects |
Ransomware campaign use | Unknown |
Source publication date | March 31, 2015 |
Source URL | https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/browser/firefox_pdfjs_privilege_escalation.rb |
Data source | Exploit-DB |
---|---|
Date added | Aug. 24, 2015 |
Description | Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit) |
Ransomware campaign use | Known |
Source publication date | Aug. 24, 2015 |
Exploit type | remote |
Platform | multiple |
Source update date | Oct. 27, 2016 |
Percentile | 0.99315 |
EPSS Score | 0.8537 |
Published At | Aug. 16, 2025, 12:55 p.m. |
Date | Actor | Action | Source | VulnerableCode Version |
---|---|---|---|---|
2025-07-31T08:10:52.495123+00:00 | Mozilla Importer | Import | https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2015/mfsa2015-33.md | 37.0.0 |