CVE-2015-2720

Published May 14, 2015

Last updated 8 years ago

Overview

Description: The update implementation in Mozilla Firefox before 38.0 on Windows does not ensure that the pathname for updater.exe corresponds to the application directory, which might allow local users to gain privileges via a Trojan horse file.
Source: security@mozilla.org
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 4.4
Impact score: 6.4
Exploitability score: 3.4
Vector string: AV:L/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-17

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7CF7EA41-388C-43CA-82A3-BBED9947CD49",
            "versionEndIncluding": "37.0.2"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References