CVE-2004-0906

medium

Description

The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.

References

http://bugzilla.mozilla.org/show_bug.cgi?id=231083

http://bugzilla.mozilla.org/show_bug.cgi?id=235781

http://secunia.com/advisories/12526/

http://security.gentoo.org/glsa/glsa-200409-26.xml

http://www.kb.cert.org/vuls/id/653160

http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3

http://www.novell.com/linux/security/advisories/2004_36_mozilla.html

http://www.redhat.com/support/errata/RHSA-2005-323.html

http://www.securityfocus.com/bid/11192

https://exchange.xforce.ibmcloud.com/vulnerabilities/17375

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11668

Details

Source: MITRE

Published: 2004-12-31

Updated: 2017-10-11

Risk Information

CVSS v2

Base Score: 4.6

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 3.9

Severity: MEDIUM