CVE-2022-45415 — Unrestricted File Upload in Mozilla Firefox

CWE-434 — Unrestricted File Upload7 documents6 sources

Severity

7.8HIGHNVD

OSV8.1

EPSS

0.1%

top 70.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 22

Description

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/firefox< firefox 107.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 107

▶NVDmozilla/firefox< 107.0

▶Ubuntumozilla/firefox< 107.0+build2-0ubuntu0.18.04.1+1

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-jx2q-hvww-224r: When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with t↗2022-12-22

▶

OSV

CVE-2022-45415: When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with t↗2022-11-16

▶

OSV

firefox vulnerabilities↗2022-11-16

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2022-11-16

▶

Debian

CVE-2022-45415: firefox - When downloading an HTML file, if the title of the page was formatted as a filen...↗2022

▶

Mozilla

Mozilla Foundation Security Advisory 2022-47: CVE-2022-45415↗

▶