Description
The update implementation in Mozilla Firefox before 38.0 on Windows does not ensure that the pathname for updater.exe corresponds to the application directory, which might allow local users to gain privileges via a Trojan horse file.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74611
Various Sources x_refsource_confirm
http://www.mozilla.org/security/announce/2015/mfsa2015-58.html
Issue Tracking x_refsource_confirm
https://bugzilla.mozilla.org/show_bug.cgi?id=1127481
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Scores
EPSS
0.0008
EPSS Percentile
22.8%
Details
CWE
CWE-17
Status
published
Products (1)
mozilla/firefox
< 37.0.2
Published
May 14, 2015
Tracked Since
Feb 18, 2026