VYPR
Unrated severityNVD Advisory· Published Jul 6, 2015· Updated Jun 17, 2026

CVE-2015-2731

CVE-2015-2731

Description

Use-after-free vulnerability in the CSPService::ShouldLoad function in the microtask implementation in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allows remote attackers to execute arbitrary code by leveraging client-side JavaScript that triggers removal of a DOM object on the basis of a Content Policy.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

23
  • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*+ 16 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*range: <=38.1.0
    • cpe:2.3:a:mozilla:firefox:31.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.3.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:31.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox:38.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:firefox_esr:31.7.0:*:*:*:*:*:*:*
    • (no CPE)range: <39.0
  • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*range: <=38.0.1
    • (no CPE)range: <38.1
  • cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
  • osv-coords3 versions
    < 128.5.1-1.1+ 2 more
    • (no CPE)range: < 128.5.1-1.1
    • (no CPE)range: < 50.1.0-1.1
    • (no CPE)range: < 45.5.1-1.1

Patches

Vulnerability mechanics

References

14

News mentions

0

No linked articles in our index yet.