The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.
http://bugzilla.mozilla.org/show_bug.cgi?id=231083
http://bugzilla.mozilla.org/show_bug.cgi?id=235781
http://secunia.com/advisories/12526/
http://security.gentoo.org/glsa/glsa-200409-26.xml
http://www.kb.cert.org/vuls/id/653160
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
http://www.novell.com/linux/security/advisories/2004_36_mozilla.html
http://www.redhat.com/support/errata/RHSA-2005-323.html
http://www.securityfocus.com/bid/11192
https://exchange.xforce.ibmcloud.com/vulnerabilities/17375
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11668
Source: MITRE
Published: 2004-12-31
Updated: 2017-10-11
Type: NVD-CWE-Other
Base Score: 4.6
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 3.9
Severity: MEDIUM