Vulnerability Details : CVE-2015-4509
Use-after-free vulnerability in the HTMLVideoElement interface in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via crafted JavaScript code that modifies the URI table of a media element, aka ZDI-CAN-3176.
Vulnerability category: Memory CorruptionExecute code
Products affected by CVE-2015-4509
- cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox:38.2.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-4509
21.48%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-4509
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2015-4509
-
http://www.zerodayinitiative.com/advisories/ZDI-15-646
ZDI-15-646 | Zero Day Initiative
-
http://www.mozilla.org/security/announce/2015/mfsa2015-106.html
Use-after-free while manipulating HTML media content — MozillaVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00003.html
[security-announce] openSUSE-SU-2015:1679-1: important: Security update
-
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00000.html
[security-announce] openSUSE-SU-2015:1658-1: important: Security update
-
http://www.ubuntu.com/usn/USN-2743-3
USN-2743-3: Unity Integration for Firefox, Unity Websites Integration and Ubuntu Online Accounts extension update | Ubuntu security notices
-
http://www.debian.org/security/2015/dsa-3365
Debian -- Security Information -- DSA-3365-1 iceweasel
-
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00007.html
[security-announce] SUSE-SU-2015:1703-1: important: Security update for
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016
-
http://rhn.redhat.com/errata/RHSA-2015-1852.html
RHSA-2015:1852 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2015-1834.html
RHSA-2015:1834 - Security Advisory - Red Hat Customer Portal
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://www.ubuntu.com/usn/USN-2754-1
USN-2754-1: Thunderbird vulnerabilities | Ubuntu security notices
-
http://www.ubuntu.com/usn/USN-2743-1
USN-2743-1: Firefox vulnerabilities | Ubuntu security notices
-
http://www.securityfocus.com/bid/76816
Mozilla Firefox Multiple Security Vulnerabilities
-
https://bugzilla.mozilla.org/show_bug.cgi?id=1198435
1198435 - (CVE-2015-4509) HTMLVideoElement Use-After-Free Remote Code Execution (ZDI-CAN-3176)
-
http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00025.html
[security-announce] SUSE-SU-2015:2081-1: important: Security update for
-
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00004.html
[security-announce] SUSE-SU-2015:1680-1: important: Security update for
-
http://lists.opensuse.org/opensuse-security-announce/2015-10/msg00005.html
[security-announce] openSUSE-SU-2015:1681-1: important: Security update
-
http://www.ubuntu.com/usn/USN-2743-2
USN-2743-2: Ubufox update | Ubuntu security notices
-
http://www.securitytracker.com/id/1033640
Mozilla Firefox Multiple Flaws Let Remote Users Execute Arbitrary Code, Obtain Potentially Sensitive Information, Bypass Security Restrictions, and Gain Elevated Privileges - SecurityTracker
-
http://www.ubuntu.com/usn/USN-2743-4
USN-2743-4: Firefox regression | Ubuntu security notices
Jump to