#VU32904 Insecure DLL loading in Mozilla Firefox and Firefox ESR - CVE-2020-15657
Published: July 29, 2020
Vulnerability identifier: #VU32904
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-15657
CWE-ID: CWE-427
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Mozilla Firefox
Firefox ESR
Mozilla Firefox
Firefox ESR
Software vendor:
Mozilla
Mozilla
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner from the installation directory. A remote attacker can place a specially crafted .dll file into directory, from which Firefox is being installed, trick the victim into launching the Firefox installer and execute arbitrary code on the system.
Remediation
Install updates from vendor's website.