CVE-2020-15657 — Uncontrolled Search Path Element in Mozilla Firefox

CWE-427 — Uncontrolled Search Path Element CWE-426 — Untrusted Search Path9 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 57.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedAug 10

Latest updateMay 24

Description

Firefox could be made to load attacker-supplied DLL files from the installation directory. This required an attacker that is already capable of placing files in the installation directory. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 79

▶NVDmozilla/firefox< 79.0

▶CVEListV5mozilla/firefox_esrunspecified — 78.1

▶NVDmozilla/firefox_esr< 78.1

▶CVEListV5mozilla/thunderbirdunspecified — 78.1

🔴Vulnerability Details

GHSA

GHSA-vxw8-wvxp-5f2r: Firefox could be made to load attacker-supplied DLL files from the installation directory↗2022-05-24

▶

CVEList

CVE-2020-15657: Firefox could be made to load attacker-supplied DLL files from the installation directory↗2020-08-10

▶

📋Vendor Advisories

Red Hat

Mozilla: DLL hijacking due to incorrect loading path↗2020-07-28

▶

Debian

CVE-2020-15657: firefox - Firefox could be made to load attacker-supplied DLL files from the installation ...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-30: CVE-2020-15657↗

▶

Mozilla

Mozilla Foundation Security Advisory 2020-32: CVE-2020-15657↗

▶

Mozilla

Mozilla Foundation Security Advisory 2020-33: CVE-2020-15657↗

▶

💬Community

Bugzilla

CVE-2020-15657 Mozilla: DLL hijacking due to incorrect loading path↗2020-07-29

▶