Lucene search

MozillaCVE-2020-6828

HistoryApr 24, 2020 - 4:15 p.m.

CVE-2020-6828

2020-04-2416:15:13

CWE-22

mozilla

web.nvd.nist.gov

186

cve-2020-6828

android

intent

firefox

security

file overwrite

user profile

arbitrary preferences

code execution

vulnerability

nvd

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

45.3%

JSON

A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user’s profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference values. Control of arbitrary preferences can lead to sufficient compromise such that it is generally equivalent to arbitrary code execution.<br> Note: This issue only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox ESR < 68.7.

Affected configurations

Nvd

Vulners

Node

googleandroidMatch-

AND

mozillafirefox_esrRange<68.7.0

VendorProductVersionCPE
googleandroid-cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
google	android	-	cpe:2.3:o:google:android:-:::::::*
mozilla	firefox_esr	*	cpe:2.3:a:mozilla:firefox_esr::::::::

CNA Affected

[
  {
    "product": "Firefox ESR",
    "vendor": "Mozilla",
    "versions": [
      {
        "lessThan": "68.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]