1. Home
  2. Vulnerabilities
  3. CVE-2020-15663

CVE-2020-15663

CVSS v3.1 8.8 (High)
88% Progress
CVSS v2.0 9.3 (High)
93% Progress
EPSS 0.63 % (80th)
0.63% Progress
Affected Products 3
Advisories 15
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

If Firefox is installed to a user-writable directory, the Mozilla Maintenance Service would execute updater.exe from the install location with system privileges. Although the Mozilla Maintenance Service does ensure that updater.exe is signed by Mozilla, the version could have been rolled back to a previous version which would have allowed exploitation of an older bug and arbitrary code execution with System Privileges. Note: This issue only affected Windows operating systems. Other operating systems are unaffected.. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, and Firefox ESR < 78.2.

Weaknesses
CWE-427
Uncontrolled Search Path Element
CVE Status
PUBLISHED
CNA
Mozilla Corporation
Published Date
2020-10-01 19:15:12
(4 years ago)
Updated Date
2022-07-12 17:42:04
(2 years ago)

Affected Products

Mozilla

Configuration #1

    CPE23 From Up To
  Mozilla Firefox prior 80.0 version cpe:2.3:a:mozilla:firefox < 80.0
  Mozilla Firefox Esr from 68.0 version and prior 68.12 version cpe:2.3:a:mozilla:firefox_esr >= 68.0 < 68.12
  Mozilla Firefox Esr from 78.0 version and prior 78.2 version cpe:2.3:a:mozilla:firefox_esr >= 78.0 < 78.2
  Mozilla Thunderbird from 68.0 version and prior 68.12 version cpe:2.3:a:mozilla:thunderbird >= 68.0 < 68.12
  Mozilla Thunderbird from 78.0 version and prior 78.2 version cpe:2.3:a:mozilla:thunderbird >= 78.0 < 78.2