CVE-2024-3863 — Unrestricted File Upload in Mozilla Firefox

CWE-434 — Unrestricted File Upload CWE-357 — Insufficient UI Warning of Dangerous Operations8 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 43.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedApr 16

Description

The executable file warning was not presented when downloading .xrm-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5mozilla/firefoxunspecified — 125

▶NVDmozilla/firefox< 115.10.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 115.10

▶CVEListV5mozilla/thunderbirdunspecified — 115.10

▶NVDmozilla/thunderbird< 115.10

🔴Vulnerability Details

GHSA

GHSA-3vhm-v3w9-8mr8: The executable file warning was not presented when downloading↗2024-04-16

▶

CVEList

CVE-2024-3863: The executable file warning was not presented when downloading↗2024-04-16

▶

📋Vendor Advisories

Red Hat

Mozilla: Download Protections were bypassed by .xrm-ms files on Windows↗2024-04-16

▶

Debian

CVE-2024-3863: firefox - The executable file warning was not presented when downloading .xrm-ms files. ...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-18: CVE-2024-3863↗

▶

Mozilla

Mozilla Foundation Security Advisory 2024-20: CVE-2024-3863↗

▶

Mozilla

Mozilla Foundation Security Advisory 2024-19: CVE-2024-3863↗

▶