{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/1888?format=json","vulnerability_id":"VCID-a8bt-cm1a-u7hd","summary":"Security researcher Frédéric Hoguin reported a mechanism where the\nMozilla Windows updater could be used to overwrite arbitrary files. He found that files\nextracted by the updater from a MAR archive are not locked for writing and\ncan be overwritten by other processes while the updater is running. A malicious local\nprogram could invoke the updater and then interfere with the extracted files, replacing\nthem with its own. This vulnerability could be used for privilege escalation if these\noverwritten files were later invoked by other Windows components that had higher\nprivileges. \nThis issue does not affect non-Windows operating systems.","aliases":[{"alias":"CVE-2016-2826"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/903?format=json","purl":"pkg:mozilla/Firefox@47.0.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox@47.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/905?format=json","purl":"pkg:mozilla/Firefox%20ESR@45.2.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:mozilla/Firefox%2520ESR@45.2.0"}],"affected_packages":[],"references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2826","reference_id":"CVE-2016-2826","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2826"},{"reference_url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-55","reference_id":"mfsa2016-55","reference_type":"","scores":[{"value":"high","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.mozilla.org/en-US/security/advisories/mfsa2016-55"}],"weaknesses":[],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a8bt-cm1a-u7hd"}