CVE-2015-2419

CVSS 8.8 HIGHEPSS 44.5%● KEVCWE-787

Vexday Risk Score

83Fix now

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 8.8EPSS 44.5%KEV simPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

14 Jul 2015Published on NVD

01 Feb 2016Public PoC

28 Mar 2022Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A vulnerability in Internet Explorer's JScript 9 engine allows attackers to execute malicious code or crash the browser by visiting a specially crafted website. This happens because the browser doesn't properly handle memory, making it susceptible to corruption attacks.

Technical detail

JScript 9 in IE 10 and 11 contains an out-of-bounds write vulnerability (CWE-787) triggered via malicious JavaScript in a web page, leading to arbitrary code execution or denial of service through memory corruption. The attack requires user interaction (visiting a crafted site) but no authentication or special preconditions.

Summary generated and translated by AI from the official description.

JScript 9 in Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "JScript9 Memory Corruption Vulnerability."

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/44743unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-065 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-2419 http://www.securitytracker.com/id/1032894