1. Home
  2. Vulnerabilities
  3. CVE-2023-4052

CVE-2023-4052

CVSS v3.1 6.5 (Medium)
65% Progress
EPSS 0.11 % (44th)
0.11% Progress
Affected Products 2
Advisories 10
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

The Firefox updater created a directory writable by non-privileged users. When uninstalling Firefox, any files in that directory would be recursively deleted with the permissions of the uninstalling user account. This could be combined with creation of a junction (a form of symbolic link) to allow arbitrary file deletion controlled by the non-privileged user.
This bug only affects Firefox on Windows. Other operating systems are unaffected. This vulnerability affects Firefox < 116, Firefox ESR < 115.1, and Thunderbird < 115.1.

Weaknesses
CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE Status
PUBLISHED
CNA
Mozilla Corporation
Published Date
2023-08-01 15:15:10
(13 months ago)
Updated Date
2023-08-07 14:15:11
(13 months ago)

Affected Products

Mozilla

Configuration #1

    CPE23 From Up To
  Mozilla Firefox prior 116.0 version cpe:2.3:a:mozilla:firefox < 116.0
  Mozilla Firefox Esr prior 115.1 version cpe:2.3:a:mozilla:firefox_esr < 115.1