CVE-2004-0906 — Mozilla vulnerability

5 documents5 sources

Severity

4.6MEDIUMNVD

EPSS

0.1%

top 65.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Mozilla Thunderbird

Timeline

PublishedDec 31

Latest updateApr 29

Description

The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.

CVSS vector

AV:L/AC:L/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages2 packages

▶NVDmozilla/thunderbird10 versions+9

▶NVDmozilla/mozilla31 versions+30

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-2vph-3h86-9f5r: The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1↗2022-04-29

▶

CVEList

CVE-2004-0906: The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1↗2004-09-24

▶

📋Vendor Advisories

Red Hat

security flaw↗2004-02-26

▶

💬Community

Bugzilla

CVE-2004-0906 security flaw↗2018-08-16

▶