9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.9%
A newline in a filename could have been used to bypass the file extension
security mechanisms that replace malicious file extensions such as .lnk
with .download. This could have led to accidental execution of malicious
code. This bug only affects Firefox and Thunderbird on Windows. Other
versions of Firefox and Thunderbird are unaffected. This vulnerability
affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
mdeslaur | starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap |
rodrigo-zaiden | Windows issue only |
launchpad.net/bugs/cve/CVE-2023-29542
nvd.nist.gov/vuln/detail/CVE-2023-29542
security-tracker.debian.org/tracker/CVE-2023-29542
www.cve.org/CVERecord?id=CVE-2023-29542
www.mozilla.org/en-US/security/advisories/mfsa2023-13/#CVE-2023-29542
www.mozilla.org/en-US/security/advisories/mfsa2023-14/#CVE-2023-29542