#VU78852 Insecure Inherited Permissions in Mozilla Firefox and Firefox ESR - CVE-2023-4052
Published: August 1, 2023 / Updated: August 2, 2023
Vulnerability identifier: #VU78852
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-4052
CWE-ID: CWE-277
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Mozilla Firefox
Firefox ESR
Mozilla Firefox
Firefox ESR
Software vendor:
Mozilla
Mozilla
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Firefox uninstaller follows symbolic links when removing files from directory created by the application updater that is writable by non-privileged users. A local user can create symbolic links to critical files on the system and delete them when uninstalling Firefox.
Note, the vulnerability affects Windows installations only.
Remediation
Install updates from vendor's website.