CVE-2020-6828Path Traversal in Mozilla Firefox ESR

CWE-22Path TraversalCWE-20Improper Input ValidationCWE-642External Control of Critical State DataCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 42.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Mozilla Firefox ESR
Timeline
PublishedApr 24
Latest updateMay 24

Description

A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference values. Control of arbitrary preferences can lead to sufficient compromise such that it is generally equivalent to arbitrary code execution. *Note: This issue only affects Firefox for Android. Other operating

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

CVEListV5mozilla/firefox_esrunspecified68.7
NVDmozilla/firefox_esr< 68.7.0

🔴Vulnerability Details

2
GHSA
GHSA-9562-p32f-jq35: A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite2022-05-24
CVEList
CVE-2020-6828: A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite2020-04-24

📋Vendor Advisories

3
Red Hat
Mozilla: Preference overwrite via crafted Intent from malicious Android application2020-04-08
Debian
CVE-2020-6828: firefox-esr - A malicious Android application could craft an Intent that would have been proce...2020
Mozilla
Mozilla Foundation Security Advisory 2020-13: CVE-2020-6828

💬Community

1
Bugzilla
CVE-2020-6828 Mozilla: Preference overwrite via crafted Intent from malicious Android application2020-04-07
CVE-2020-6828 — Path Traversal in Mozilla Firefox ESR | cvebase