CVE-2016-5294

Published: 11 June 2018

The Mozilla Updater can be made to choose an arbitrary target working directory for output files resulting from the update process. This vulnerability requires local system access. Note: this issue only affects Windows operating systems. This vulnerability affects Thunderbird < 45.5, Firefox ESR < 45.5, and Firefox < 50.

Priority

Medium

CVSS 3 base score: 5.5

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (50)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(windows only)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [windows only])
thunderbird
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(windows only)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(windows only)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [windows only])