CVE-2017-7755 — Untrusted Search Path in Mozilla Firefox

CWE-426 — Untrusted Search Path3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.8%

top 26.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird +2 more

Timeline

PublishedJun 11

Latest updateMay 14

Description

The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run. This allows privileged execution if the installer is run with elevated privileges. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

▶CVEListV5mozilla/firefoxunspecified — 54

▶NVDmozilla/firefox< 52.2.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 52.2

▶debiandebian/firefox

▶debiandebian/firefox-esr

🔴Vulnerability Details

GHSA

GHSA-3p4h-hgf4-rvgh: The Firefox installer on Windows can be made to load malicious DLL files stored in the same directory as the installer when it is run↗2022-05-14

▶

📋Vendor Advisories

Debian

CVE-2017-7755: firefox - The Firefox installer on Windows can be made to load malicious DLL files stored ...↗2017

▶