CVE-2004-0906

high

Description

The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11668

https://exchange.xforce.ibmcloud.com/vulnerabilities/17375

http://www.securityfocus.com/bid/11192

http://www.redhat.com/support/errata/RHSA-2005-323.html

http://www.novell.com/linux/security/advisories/2004_36_mozilla.html

http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3

http://www.kb.cert.org/vuls/id/653160

http://security.gentoo.org/glsa/glsa-200409-26.xml

http://secunia.com/advisories/12526/

http://bugzilla.mozilla.org/show_bug.cgi?id=235781

http://bugzilla.mozilla.org/show_bug.cgi?id=231083

Details

Source: Mitre, NVD

Published: 2004-12-31

Updated: 2025-04-03

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00144