VDB
CVE-2020-6797
CVE-2020-6797
PUBLISHED
Reported by mozilla · Published March 2, 2020
By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact. Note: this issue only occurs on Mac OSX. Other operating systems are unaffected. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Thunderbird | unspecified |
| Mozilla | Firefox | unspecified, unspecified |
| Mozilla | Thunderbird | unspecified |
| Mozilla | Firefox | unspecified, unspecified |
| alpine | firefox-esr | 0, 0, 0 |
| alpine | thunderbird | 0, 0, 0 |
Exploit Intelligence
- Uncovering file quarantine and UX security issues in macOS apps ( .terminal, .fileloc and .url) (hackerone)
- Uncovering file quarantine and UX security issues in macOS apps ( .terminal, .fileloc and .url) (hackerone)
- Uncovering file quarantine and UX security issues in macOS apps ( .terminal, .fileloc and .url) (hackerone)
Timeline
- CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Jul 23, 2021 PoC Published
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- x_refsource_MISC
- x_refsource_MISC
- x_refsource_MISC
- x_refsource_MISC
- GLSA-202003-02 vendor-advisoryx_refsource_GENTOO