CVE-2004-0906
First published: Fri Sep 24 2004(Updated: )
The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | =1.4.2 | |
| Mozilla Firefox | =0.9.5 | |
| Thunderbird | =0.6 | |
| Thunderbird | =0.7.2 | |
| Mozilla Firefox | =0.9.35 | |
| Thunderbird | =0.3 | |
| Mozilla Firefox | =0.9.3 | |
| Mozilla Firefox | =1.0.1 | |
| Mozilla Firefox | =1.7-alpha | |
| Thunderbird | =0.2 | |
| Mozilla Firefox | =0.9.48 | |
| Mozilla Firefox | =1.7-rc1 | |
| Mozilla Firefox | =1.2.1 | |
| Mozilla Firefox | =1.0-rc1 | |
| Mozilla Firefox | =1.2-alpha | |
| Mozilla Firefox | =1.7 | |
| Mozilla Firefox | =0.9.7 | |
| Mozilla Firefox | =1.1-beta | |
| Mozilla Firefox | =1.0-rc2 | |
| Mozilla Firefox | =0.9.2.1 | |
| Mozilla Firefox | =1.4.1 | |
| Mozilla Firefox | =1.4-beta | |
| Mozilla Firefox | =1.2 | |
| Mozilla Firefox | =0.9.2 | |
| Mozilla Firefox | =1.4.4 | |
| Mozilla Firefox | =1.3 | |
| Mozilla Firefox | =1.2-beta | |
| Mozilla Firefox | =1.0 | |
| Mozilla Firefox | =1.7-beta | |
| Mozilla Firefox | =0.9.8 | |
| Mozilla Firefox | =1.4 | |
| Mozilla Firefox | =1.5 | |
| Mozilla Firefox | =0.9.4 | |
| Thunderbird | =0.5 | |
| Mozilla Firefox | =1.7.1 | |
| Thunderbird | =0.7.3 | |
| Mozilla Firefox | =1.4-alpha | |
| Thunderbird | =0.4 | |
| Thunderbird | =0.7 | |
| Mozilla Firefox | =0.9.6 | |
| Mozilla Firefox | =1.5.1 | |
| Mozilla Firefox | =1.1 | |
| Mozilla Firefox | =1.1-alpha | |
| Mozilla Firefox | =0.9.4.1 | |
| Mozilla Firefox | =0.8 | |
| Mozilla Firefox | =1.7.2 | |
| Thunderbird | =0.1 | |
| Mozilla Firefox | =1.0.2 | |
| Mozilla Firefox | =1.7-rc3 | |
| Thunderbird | =0.7.1 | |
| Mozilla Firefox | =1.7-rc2 | |
| Mozilla Firefox | =1.3.1 | |
| Mozilla Firefox | =0.9.9 | |
| Mozilla Firefox | =1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
- http://bugzilla.mozilla.org/show_bug.cgi?id=235781
- http://bugzilla.mozilla.org/show_bug.cgi?id=231083
- http://security.gentoo.org/glsa/glsa-200409-26.xml
- http://www.redhat.com/support/errata/RHSA-2005-323.html
- http://www.novell.com/linux/security/advisories/2004_36_mozilla.html
- http://www.kb.cert.org/vuls/id/653160
- http://www.securityfocus.com/bid/11192
- http://secunia.com/advisories/12526/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17375
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11668
Frequently Asked Questions
What is the severity of CVE-2004-0906?
CVE-2004-0906 is classified as a medium severity vulnerability due to its potential to allow local users to overwrite arbitrary files or execute arbitrary code.
How do I fix CVE-2004-0906?
To fix CVE-2004-0906, update your Mozilla Firefox or Thunderbird to a version that is 1.7.3 or later.
What types of software are affected by CVE-2004-0906?
CVE-2004-0906 affects various versions of Mozilla Firefox before 1.7.3 and Thunderbird before 0.8.
Can CVE-2004-0906 be exploited remotely?
CVE-2004-0906 cannot be exploited remotely as it requires local access to the system.
What files are insecure due to CVE-2004-0906?
The XPInstall installer in affected versions sets insecure permissions for certain files within xpi packages.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/author
- agent/references
- agent/last-modified-date
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- vendor/mozilla
- product/mozilla
- canonical/mozilla mozilla
- product/thunderbird
- canonical/mozilla thunderbird
- agent/software-canonical-lookup-request
- collector/nvd-index
- canonical/mozilla firefox
- version/mozilla firefox/1.4.2
- version/mozilla firefox/0.9.5
- canonical/thunderbird
- version/thunderbird/0.6
- version/thunderbird/0.7.2
- version/mozilla firefox/0.9.35
- version/thunderbird/0.3
- version/mozilla firefox/0.9.3
- version/mozilla firefox/1.0.1
- version/mozilla firefox/1.7-alpha
- version/thunderbird/0.2
- version/mozilla firefox/0.9.48
- version/mozilla firefox/1.7-rc1
- version/mozilla firefox/1.2.1
- version/mozilla firefox/1.0-rc1
- version/mozilla firefox/1.2-alpha
- version/mozilla firefox/1.7
- version/mozilla firefox/0.9.7
- version/mozilla firefox/1.1-beta
- version/mozilla firefox/1.0-rc2
- version/mozilla firefox/0.9.2.1
- version/mozilla firefox/1.4.1
- version/mozilla firefox/1.4-beta
- version/mozilla firefox/1.2
- version/mozilla firefox/0.9.2
- version/mozilla firefox/1.4.4
- version/mozilla firefox/1.3
- version/mozilla firefox/1.2-beta
- version/mozilla firefox/1.0
- version/mozilla firefox/1.7-beta
- version/mozilla firefox/0.9.8
- version/mozilla firefox/1.4
- version/mozilla firefox/1.5
- version/mozilla firefox/0.9.4
- version/thunderbird/0.5
- version/mozilla firefox/1.7.1
- version/thunderbird/0.7.3
- version/mozilla firefox/1.4-alpha
- version/thunderbird/0.4
- version/thunderbird/0.7
- version/mozilla firefox/0.9.6
- version/mozilla firefox/1.5.1
- version/mozilla firefox/1.1
- version/mozilla firefox/1.1-alpha
- version/mozilla firefox/0.9.4.1
- version/mozilla firefox/0.8
- version/mozilla firefox/1.7.2
- version/thunderbird/0.1
- version/mozilla firefox/1.0.2
- version/mozilla firefox/1.7-rc3
- version/thunderbird/0.7.1
- version/mozilla firefox/1.7-rc2
- version/mozilla firefox/1.3.1
- version/mozilla firefox/0.9.9
- version/mozilla firefox/1.6