CVE-2020-12393 — OS Command Injection in Mozilla Firefox
Severity
7.8HIGHNVD
EPSS
0.5%
top 34.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 26
Latest updateMay 24
Description
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages6 packages
🔴Vulnerability Details
3GHSA▶
GHSA-x932-mvm6-79m8: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website↗2022-05-24
CVEList▶
CVE-2020-12393: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website↗2020-05-26
OSV▶
CVE-2020-12393: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website↗2020-05-26
📋Vendor Advisories
5💬Community
1Bugzilla▶
CVE-2020-12393 Mozilla: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection↗2020-05-06