CVE-2020-12392 — Path Traversal in Mozilla Firefox
Severity
5.5MEDIUMNVD
OSV8.1
EPSS
0.2%
top 63.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 26
Latest updateMay 24
Description
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages9 packages
Also affects: Ubuntu Linux 16.04, 18.04, 19.10, 20.04
🔴Vulnerability Details
6GHSA▶
GHSA-f75r-qhf4-x3wr: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website↗2022-05-24
OSV▶
CVE-2020-12392: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website↗2020-05-26
CVEList▶
CVE-2020-12392: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website↗2020-05-26
📋Vendor Advisories
8Debian▶
CVE-2020-12392: firefox - The 'Copy as cURL' feature of Devtools' network tab did not properly escape the ...↗2020