CVE-2023-29541

Name of the Vulnerable Software and Affected Versions Firefox versions prior to 112 Focus for Android versions prior to 112 Firefox ESR versions prior to 102.10 Firefox for Android versions prior to 112 Thunderbird versions prior to 102.10

Description The issue is related to the improper handling of file downloads with names ending in .desktop, which can be interpreted to run attacker-controlled commands. This bug only affects Firefox for Linux on certain distributions, with other operating systems being unaffected. The vulnerability can allow a remote attacker to bypass security restrictions and execute arbitrary commands.

Recommendations For Firefox versions prior to 112, update to version 112 or later. For Focus for Android versions prior to 112, update to version 112 or later. For Firefox ESR versions prior to 102.10, update to version 102.10 or later. For Firefox for Android versions prior to 112, update to version 112 or later. For Thunderbird versions prior to 102.10, update to version 102.10 or later. As a temporary workaround, consider avoiding downloads of files with names ending in .desktop until a patch is available. Restrict access to potentially vulnerable systems to minimize the risk of exploitation.