CVE-2020-15663

EPSS 1.67%
Published 01.10.2020 19:15:12
Last modified 21.11.2024 05:05:58
Source security@mozilla.org
Teams watchlist Login
Open Login

If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, and Firefox ESR < 78.2.

Affected products Warnungen 0 Metrics 3 CWE 1 References 9

Data is provided by the National Vulnerability Database (NVD)

Mozilla ≫ Firefox Version < 80.0

Mozilla ≫ Firefox Version >= 78.0 < 78.2

Mozilla ≫ Firefox ESR Version >= 68.0 < 68.12

Mozilla ≫ Thunderbird Version >= 68.0 < 68.12

Mozilla ≫ Thunderbird Version >= 78.0 < 78.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.67%	0.804

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C

CWE-427 Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

https://bugzilla.mozilla.org/show_bug.cgi?id=1643199

Vendor Advisory

Issue Tracking

Permissions Required

https://www.mozilla.org/security/advisories/mfsa2020-36/

Vendor Advisory

Release Notes

https://www.mozilla.org/security/advisories/mfsa2020-37/

Vendor Advisory

Release Notes

https://www.mozilla.org/security/advisories/mfsa2020-38/

Vendor Advisory