CVE-2010-3131

Mozilla Firefox < & Thunderbird < & SeaMonkey <3.5.12-3.6.9 <3.0.7-3.1.3 - DLL Hijacking

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2010-3131. PoCs published by h4ck3r#47, Glafkos Charalambous.

AI-analyzed exploit summary This exploit demonstrates a DLL hijacking vulnerability in Mozilla Thunderbird 3.1.2 by creating a malicious dwmapi.dll that executes arbitrary code (calc.exe) when loaded by the application. The exploit targets vulnerable extensions (.eml, .html) on Windows XP SP3.

Description

Untrusted search path vulnerability in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 on Windows XP allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the same folder as a .htm, .html, .jtx, .mfp, or .eml file.

Exploits (2)

exploitdb WORKING POC VERIFIED
by h4ck3r#47 · clocalwindows
https://www.exploit-db.com/exploits/14783

This exploit demonstrates a DLL hijacking vulnerability in Mozilla Thunderbird 3.1.2 by creating a malicious dwmapi.dll that executes arbitrary code (calc.exe) when loaded by the application. The exploit targets vulnerable extensions (.eml, .html) on Windows XP SP3.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Mozilla Thunderbird 3.1.2
No auth needed
Prerequisites: Victim must open a malicious .eml or .html file in Thunderbird · Malicious dwmapi.dll must be placed in a directory with higher search priority than the legitimate DLL
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Glafkos Charalambous · clocalwindows
https://www.exploit-db.com/exploits/14730

This exploit demonstrates a DLL hijacking vulnerability in Firefox <= 3.6.8 by creating a malicious dwmapi.dll that executes arbitrary code when Firefox loads it. The PoC uses exported functions from dwmapi.dll to trigger a MessageBox popup, proving the vulnerability.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Mozilla Firefox <= 3.6.8
No auth needed
Prerequisites: Victim must open a file with a vulnerable extension (.htm, .html, .jtx, .mfp) in Firefox · Malicious dwmapi.dll must be placed in the same directory as the file
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (12)

Core 12
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41095
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/14783
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/513324/100/0/threaded
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2201
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/14730
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2169
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/2323
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12143
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=579593
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41168

Scores

EPSS 0.2211
EPSS Percentile 97.4%

Details

Status published
Products (47)
mozilla/firefox 3.6
mozilla/firefox 3.6.2
mozilla/firefox 3.6.3
mozilla/firefox 3.6.4
mozilla/firefox 3.6.6
mozilla/firefox 3.6.7
mozilla/firefox 3.6.8
mozilla/firefox 1.0 (2 CPE variants)
mozilla/firefox 1.0.1
mozilla/firefox 1.0.2
... and 37 more
Published Aug 26, 2010
Tracked Since Feb 18, 2026