CVE-2020-15649 — Unrestricted File Upload in Mozilla Firefox ESR

CWE-434 — Unrestricted File Upload CWE-552 — Files or Directories Accessible to External Parties7 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.2%

top 52.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox ESR

Timeline

PublishedAug 10

Latest updateMay 24

Description

Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mozilla/firefox_esrunspecified — 68.11

▶NVDmozilla/firefox_esr< 68.11

🔴Vulnerability Details

GHSA

GHSA-wg7m-wv28-cvcr: Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actual↗2022-05-24

▶

CVEList

CVE-2020-15649: Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actual↗2020-08-10

▶

📋Vendor Advisories

Red Hat

Mozilla: Exfiltrating local files through malicious file picker application↗2020-07-28

▶

Debian

CVE-2020-15649: firefox - Given an installed malicious file picker application, an attacker was able to st...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-31: CVE-2020-15649↗

▶

💬Community

Bugzilla

CVE-2020-15649 Mozilla: Exfiltrating local files through malicious file picker application↗2020-08-20

▶