CVE-2015-2720

medium

Description

The update implementation in Mozilla Firefox before 38.0 on Windows does not ensure that the pathname for updater.exe corresponds to the application directory, which might allow local users to gain privileges via a Trojan horse file.

References

http://www.mozilla.org/security/announce/2015/mfsa2015-58.html

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

http://www.securityfocus.com/bid/74611

https://bugzilla.mozilla.org/show_bug.cgi?id=1127481

Details

Source: MITRE

Published: 2015-05-14

Updated: 2017-01-03

Type: CWE-17

Risk Information

CVSS v2

Base Score: 4.4

Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 3.4

Severity: MEDIUM