PT-2020-19228 · Apple+3 · Macos X+5

Vladimir Metnew

·

Published

2020-02-12

·

Updated

2024-12-12

·

CVE-2020-6797

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Thunderbird versions prior to 68.5 Firefox versions prior to 73 Firefox ESR versions prior to 68.5
Description A semi-privileged extension can launch an arbitrary application on the user's computer by downloading a file with the .fileloc extension. However, the attacker's ability to exploit this issue is limited as they cannot download non-quarantined files or supply command line arguments to the application. This issue only affects Mac OSX, with other operating systems being unaffected.
Recommendations For Thunderbird versions prior to 68.5, update to version 68.5 or later. For Firefox versions prior to 73, update to version 73 or later. For Firefox ESR versions prior to 68.5, update to version 68.5 or later. As a temporary workaround, consider restricting the handling of .fileloc files to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2020-1182
ALT-PU-2020-1186
ALT-PU-2020-1237
ALT-PU-2020-1399
ALT-PU-2020-1515
CVE-2020-6797
OPENSUSE-SU-2020:0230-1
OPENSUSE-SU-2020:0231-1
OPENSUSE-SU-2020_0230-1
OPENSUSE-SU-2020_0231-1
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:10601-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2020:0383-1
SUSE-SU-2020:0384-1
SUSE-SU-2020:0385-1
SUSE-SU-2020:14290-1

Affected Products

Alt Linux
Firefox
Firefox Esr
Macos X
Suse
Thunderbird