PT-2023-2792 · Mozilla+3 · Firefox Esr+5

Ameen Basha M K

+1

·

Published

2023-04-11

·

Updated

2024-12-12

·

CVE-2023-29542

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 112 Mozilla Firefox ESR versions prior to 102.10 Mozilla Thunderbird versions prior to 102.10
Description The issue is related to the incorrect handling of a newline in a filename, which could allow a remote attacker to bypass file extension security mechanisms. This mechanism replaces malicious file extensions, such as .lnk, with .download. The bypass could lead to the accidental execution of malicious code. This bug only affects Firefox and Thunderbird on Windows, with other versions of these applications being unaffected.
Recommendations For Mozilla Firefox versions prior to 112, update to version 112 or later. For Mozilla Firefox ESR versions prior to 102.10, update to version 102.10 or later. For Mozilla Thunderbird versions prior to 102.10, update to version 102.10 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-254

Related Identifiers

ALT-PU-2023-1621
ALT-PU-2023-1648
ALT-PU-2023-1649
ALT-PU-2023-1758
ALT-PU-2023-1765
ALT-PU-2023-1783
ALT-PU-2023-1797
ALT-PU-2023-1817
ALT-PU-2023-4365
ALT-PU-2023-4366
ALT-PU-2023-5202
BDU:2023-02690
CVE-2023-29542
OPENSUSE-SU-2024:12852-1
OPENSUSE-SU-2024:12856-1
OPENSUSE-SU-2024:12882-1
OPENSUSE-SU-2024:14572-1
SUSE-SU-2023:1817-1
SUSE-SU-2023:1819-1
SUSE-SU-2023:1855-1
SUSE-SU-2023:2064-1

Affected Products

Alt Linux
Firefox
Firefox Esr
Thunderbird
Red Os
Suse