CVE-2020-15651 — Improper Input Validation in Mozilla Firefox FOR IOS

CWE-20 — Improper Input Validation6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.2%

top 59.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox FOR IOS Mozilla Firefox

Timeline

PublishedAug 10

Latest updateMay 24

Description

A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension. This vulnerability affects Firefox for iOS < 28.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDmozilla/firefox< 28.0

▶CVEListV5mozilla/firefox_for_iosunspecified — 28

🔴Vulnerability Details

GHSA

GHSA-5p65-3pv7-7gq2: A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extensi↗2022-05-24

▶

CVEList

CVE-2020-15651: A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extensi↗2020-08-10

▶

📋Vendor Advisories

Debian

CVE-2020-15651: firefox - A unicode RTL order character in the downloaded file name can be used to change ...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-34: CVE-2020-15651↗

▶

💬Community

Bugzilla

CVE-2020-10689 che: pods in kubernetes cluster can bypass JWT proxy and send unauthenticated requests to workspace pods↗2020-03-24

▶