CVE-2020-15650 - OpenCVE

Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox Esr
Google	Android

Configuration 1 [-]

AND

cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1652360	Issue Tracking
https://www.mozilla.org/security/advisories/mfsa2020-31/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2020-08-10T17:43:24

Updated: 2020-08-10T17:43:24

Reserved: 2020-07-10T00:00:00

Link: CVE-2020-15650

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-08-10T18:15:12.187

Modified: 2020-08-12T16:41:44.980

Link: CVE-2020-15650

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "68.11", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11."}], "problemTypes": [{"descriptions": [{"description": "Overwriting local files through malicious file picker application", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-10T17:43:24", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-31/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1652360"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2020-15650", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox ESR", "version": {"version_data": [{"version_affected": "<", "version_value": "68.11"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Overwriting local files through malicious file picker application"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2020-31/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2020-31/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1652360", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1652360"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2020-15650", "datePublished": "2020-08-10T17:43:24", "dateReserved": "2020-07-10T00:00:00", "dateUpdated": "2020-08-10T17:43:24", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "A0267D9C-02C0-4057-AFBC-C14B11792AB2", "versionEndExcluding": "68.11", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11."}, {"lang": "es", "value": "Dada una aplicaci\u00f3n de selecci\u00f3n de archivos maliciosa instalada, un atacante fue capaz de sobrescribir archivos locales y, por lo tanto, sobrescribir la configuraci\u00f3n de Firefox (pero sin acceder al perfil anterior). * Nota: este problema solo afect\u00f3 a Firefox para Android. Otros sistemas operativos no est\u00e1n afectados. *. Esta vulnerabilidad afecta a Firefox ESR versiones anteriores a 68.11"}], "id": "CVE-2020-15650", "lastModified": "2020-08-12T16:41:44.980", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-10T18:15:12.187", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1652360"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-31/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}