cbcvebase.
CVE-2015-0816
published 2015-04-01

CVE-2015-0816: Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for…

PriorityP354medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
67.14%
99.2th percentile
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.

Affected

5 ranges
VendorProductVersion rangeFixed in
mozillafirefox<= 31.5.3
mozillafirefox<= 36.0.4
mozillafirefox>= 0 < 37.0+build2-0ubuntu0.14.04.137.0+build2-0ubuntu0.14.04.1
mozillathunderbird<= 31.5
mozillathunderbird>= 0 < 1:31.6.0+build1-0ubuntu0.14.04.11:31.6.0+build1-0ubuntu0.14.04.1

Detection & IOCsextracted from sources · hover to see the quote

urlresource://
urlchrome://browser/content/browser.xul
urldata:application/pdf,
urldata:application/xml,
commandq.messageManager.loadFrameScript('data:,'+key, false);
  • Exploit targets Firefox versions 35 and 36 specifically; browser UA version checks between 35–36 are a key targeting signal.
  • Exploit delivery page contains a lure string used as default HTML content; monitor for pages serving this string alongside PDF/XML data URIs.
  • Exploit uses messageManager.loadFrameScript with a data: URI to inject privileged JavaScript into a chrome window; monitor for this API call pattern in browser process logs or network captures.
  • Exploit loads an iframe with src='data:application/pdf,' and a blob URL to trigger PDF.js in a privileged context; anomalous blob: or data:application/pdf URIs in iframe src attributes are suspicious.
  • Exploit uses view-source: scheme combined with object element data attribute reassignment as part of sandbox context acquisition; monitor for view-source: URIs set on object.data dynamically.
  • The exploit requires a user click anywhere on the page to trigger; social engineering lure pages prompting clicks combined with PDF.js resource:// loading should be flagged.
  • Privilege escalation is achieved by combining CVE-2015-0816 (resource:// bypass) with CVE-2015-0802 (messageManager access); detections should look for chained exploitation of both CVEs.
  • ·The exploit only works against Firefox 35–36; versions outside this range are not targeted by this specific Metasploit module, though the CVE affects Firefox before 37.0 and ESR 31.x before 31.6.
  • ·In Thunderbird, the flaw cannot generally be exploited via email because scripting is disabled by default; risk is elevated only in browser or browser-like contexts.
  • ·Exploitation of this CVE alone is insufficient for arbitrary code execution; it must be chained with a separate same-origin policy bypass vulnerability (e.g., CVE-2015-0802).

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.