Vulnerability Description
The update implementation in Mozilla Firefox before 38.0 on Windows does not ensure that the pathname for updater.exe corresponds to the application directory, which might allow local users to gain privileges via a Trojan horse file.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | <= 37.0.2 |
Related Weaknesses (CWE)
References
- http://www.mozilla.org/security/announce/2015/mfsa2015-58.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/74611
- https://bugzilla.mozilla.org/show_bug.cgi?id=1127481
- http://www.mozilla.org/security/announce/2015/mfsa2015-58.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/74611
- https://bugzilla.mozilla.org/show_bug.cgi?id=1127481
FAQ
What is CVE-2015-2720?
CVE-2015-2720 is a vulnerability with a CVSS score of 4.4 (MEDIUM). The update implementation in Mozilla Firefox before 38.0 on Windows does not ensure that the pathname for updater.exe corresponds to the application directory, which might allow local users to gain pr...
How severe is CVE-2015-2720?
CVE-2015-2720 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2720?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox.