Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-0816Execution with Unnecessary Privileges in Mozilla Firefox

CWE-264CWE-250Execution with Unnecessary Privileges24 documents8 sources
Severity
5.0MEDIUMNVD
OSV7.5
EPSS
85.4%
top 0.63%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Mozilla FirefoxMozilla Thunderbird
Timeline
PublishedApr 1
Latest updateMay 17

Description

Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

Ubuntumozilla/firefox< 37.0+build2-0ubuntu0.14.04.1
NVDmozilla/firefox31.5.3+1
Ubuntumozilla/thunderbird< 1:31.6.0+build1-0ubuntu0.14.04.1

🔴Vulnerability Details

4
GHSA
GHSA-gjhp-68hp-85fp: Mozilla Firefox before 372022-05-17
OSV
thunderbird vulnerabilities2015-04-02
OSV
firefox vulnerabilities2015-04-01
OSV
CVE-2015-0816: Mozilla Firefox before 372015-04-01

💥Exploits & PoCs

2
Exploit-DB
Mozilla Firefox - 'pdf.js' Privileged JavaScript Injection (Metasploit)2015-08-24
Metasploit
Firefox PDF.js Privileged Javascript Injection

📋Vendor Advisories

3
Ubuntu
Thunderbird vulnerabilities2015-04-02
Ubuntu
Firefox vulnerabilities2015-04-01
Red Hat
Mozilla: resource: // documents can load privileged pages (MFSA 2015-33)2015-03-31

💬Community

14
Bugzilla
CVE-2015-1246 chromium-browser: Out-of-bounds read in Blink2015-04-15
Bugzilla
CVE-2015-1247 chromium-browser: Scheme issues in OpenSearch2015-04-15
Bugzilla
CVE-2015-1238 chromium-browser: Out-of-bounds write in Skia2015-04-15
Bugzilla
CVE-2015-1236 chromium-browser: Cross-origin-bypass in Blink2015-04-15
Bugzilla
CVE-2015-1237 chromium-browser: Use-after-free in IPC2015-04-15