CVE-2015-6713
Description
The Function call implementation in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to bypass JavaScript API execution restrictions via unspecified vectors, a different vulnerability than CVE-2015-6707, CVE-2015-6708, CVE-2015-6709, CVE-2015-6710, CVE-2015-6711, CVE-2015-6712, CVE-2015-6714, CVE-2015-6715, CVE-2015-6716, CVE-2015-6717, CVE-2015-6718, CVE-2015-6719, CVE-2015-6720, CVE-2015-6721, CVE-2015-6722, CVE-2015-6723, CVE-2015-6724, CVE-2015-6725, CVE-2015-7614, CVE-2015-7616, CVE-2015-7618, CVE-2015-7619, CVE-2015-7620, and CVE-2015-7623.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adobe Reader/Acrobat fails to enforce JavaScript API restrictions via a crafted Function.call, allowing attackers to execute arbitrary code.
Vulnerability
The vulnerability resides in the Function.call implementation within the JavaScript engine of Adobe Reader and Acrobat. Affected versions include Reader and Acrobat 10.x before 10.1.16, 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and DC Continuous before 2015.009.20069 on Windows and OS X. By crafting a PDF with specific JavaScript instructions, an attacker can bypass the intended security restrictions on JavaScript API calls [1].
Exploitation
Exploitation requires user interaction — the target must open a malicious PDF file or visit a page that loads the exploit. No authentication or special network position is needed beyond delivering the file. The attacker creates a specially crafted PDF that leverages the Function.call method to evade API restrictions [1].
Impact
Successful exploitation allows a remote attacker to execute arbitrary code in the context of the current user. This can lead to full compromise of confidentiality, integrity, and availability, as an attacker could read, modify, or delete files, install malware, or perform other malicious actions [1]. The CVSS v2 score is 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) [1].
Mitigation
Adobe released fixes starting October 13, 2015. Users should update to the following versions or later: Reader/Acrobat 10.1.16, 11.0.13, DC Classic 2015.006.30094, and DC Continuous 2015.009.20069. No workaround is available; applying the latest patch is the only mitigation [1].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:classic:*:*:*range: >=15.006.30060,<15.006.30094
- cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*range: >=15.008.20082,<15.009.20069
cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat_reader:*:*:*:*:*:*:*:*range: >=10.0,<=10.1.15
- (no CPE)range: >=10.0, <=10.1.16
cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*+ 1 more
- cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:classic:*:*:*range: >=15.006.30060,<15.006.30094
- cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*range: >=15.008.20082,<15.009.20069
- Range: <2015.009.20069
- Range: <2015.006.30094
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- helpx.adobe.com/security/products/acrobat/apsb15-24.htmlnvdPatchVendor Advisory
- www.securitytracker.com/id/1033796nvdThird Party AdvisoryVDB Entry
- www.zerodayinitiative.com/advisories/ZDI-15-489nvdThird Party AdvisoryVDB Entry
News mentions
0No linked articles in our index yet.