CVE-2024-5692 — Improper Input Validation in Mozilla Firefox

CWE-20 — Improper Input Validation8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedJun 11

Description

On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in the extension. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5mozilla/firefoxunspecified — 127

▶NVDmozilla/firefox< 115.12+1

▶CVEListV5mozilla/firefox_esrunspecified — 115.12

▶CVEListV5mozilla/thunderbirdunspecified — 115.12

▶NVDmozilla/thunderbird< 115.12

🔴Vulnerability Details

GHSA

GHSA-pqfc-h2m7-5p9p: On Windows, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such a↗2024-06-11

▶

CVEList

CVE-2024-5692: On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension suc↗2024-06-11

▶

📋Vendor Advisories

Red Hat

Mozilla: Bypass of file name restrictions during saving↗2024-06-11

▶

Debian

CVE-2024-5692: firefox - On Windows 10, when using the 'Save As' functionality, an attacker could have tr...↗2024

▶

Mozilla

Mozilla Foundation Security Advisory 2024-26: CVE-2024-5692↗

▶

Mozilla

Mozilla Foundation Security Advisory 2024-28: CVE-2024-5692↗

▶

Mozilla

Mozilla Foundation Security Advisory 2024-25: CVE-2024-5692↗

▶