PT-2021-2747 · Mozilla+7 · Firefox+9
Daniel Santos
·
Published
2021-04-19
·
Updated
2024-12-12
·
CVE-2021-24002
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Firefox versions prior to 88
Firefox ESR versions prior to 78.10
Thunderbird versions prior to 78.10
Description:
The issue is related to errors in handling newline characters in FTP URLs, such as %0A or %0D. This can allow a remote attacker to send arbitrary commands to an FTP server. When a user clicks on an FTP URL containing encoded newline characters, the newlines are interpreted, enabling the sending of arbitrary commands to the FTP server.
Recommendations:
For Firefox versions prior to 88, update to version 88 or later.
For Firefox ESR versions prior to 78.10, update to version 78.10 or later.
For Thunderbird versions prior to 78.10, update to version 78.10 or later.
Exploit
Fix
RCE
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Firefox
Firefox Esr
Linuxmint
Red Hat
Suse
Thunderbird
Ubuntu