VYPR
Get started
← All advisories
Unrated severityNVD Advisory· Published Jul 6, 2015· Updated May 6, 2026

CVE-2015-2731

CVE-2015-2731

Description

Use-after-free vulnerability in the CSPService::ShouldLoad function in the microtask implementation in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allows remote attackers to execute arbitrary code by leveraging client-side JavaScript that triggers removal of a DOM object on the basis of a Content Policy.

Affected products

18
  • Mozilla Corporation/Firefox9 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=38.1.0
    • cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*
  • Mozilla Corporation/Firefox Esr7 versions
    cpe:2.3:a:mozilla:firefox_esr:31.1:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:mozilla:firefox_esr:31.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.7.0:*:*:*:*:*:*:*
  • Mozilla Corporation/Thunderbird
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
    Range: <=38.0.1
  • Oracle Corporation/Solaris
    cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

14

News mentions

0

No linked articles in our index yet.