VDB
CVE-2020-12393
CVE-2020-12393
PUBLISHED
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
EPSS 0.47% · 64.8th percentile
Risk Scores
EPSS Score
0.47%
64.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | mozjs38 | 0, 38.8.0~repack1-0ubuntu1, 38.8.0~repack1-0ubuntu3 |
| Ubuntu:20.04:LTS | mozjs68 | 0, 68.6.0-1ubuntu1, 68.5.0-1~fakesync |
| Ubuntu:18.04:LTS | mozjs52 | 52.3.1-0ubuntu3, 52.9.1-0ubuntu0.18.04.1, 52.3.1-7fakesync1 |
| Ubuntu:20.04:LTS | mozjs52 | 0, 52.9.1-1ubuntu3, 52.9.1-1build1 |
Timeline
- May 8, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-12393 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12393 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12393 third-party-advisory
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12393 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-12393 third-party-advisory