CVE-2020-12392LOW
Description
The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1614468
https://security.gentoo.org/glsa/202005-03
https://security.gentoo.org/glsa/202005-04
https://usn.ubuntu.com/4373-1/
https://www.mozilla.org/security/advisories/mfsa2020-16/
Details
Source: MITRE
Published: 2020-05-26
Updated: 2020-06-12
Type: CWE-200
Risk Information
CVSS v2.0
Base Score: 2.1
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 3.9
Severity: LOW
CVSS v3.0
Base Score: 5.5
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 1.8
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 147407 | NewStart CGSL MAIN 4.06 : firefox Multiple Vulnerabilities (NS-SA-2021-0004) | Nessus | NewStart CGSL Local Security Checks | critical |
| 147312 | NewStart CGSL MAIN 4.06 : thunderbird Multiple Vulnerabilities (NS-SA-2021-0002) | Nessus | NewStart CGSL Local Security Checks | critical |
| 145906 | CentOS 8 : thunderbird (CESA-2020:2046) | Nessus | CentOS Local Security Checks | critical |
| 143979 | NewStart CGSL CORE 5.05 / MAIN 5.05 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0093) | Nessus | NewStart CGSL Local Security Checks | critical |
| 143948 | NewStart CGSL CORE 5.05 / MAIN 5.05 : firefox Multiple Vulnerabilities (NS-SA-2020-0097) | Nessus | NewStart CGSL Local Security Checks | critical |
| 143928 | NewStart CGSL CORE 5.04 / MAIN 5.04 : firefox Multiple Vulnerabilities (NS-SA-2020-0064) | Nessus | NewStart CGSL Local Security Checks | critical |
| 143912 | NewStart CGSL CORE 5.04 / MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0074) | Nessus | NewStart CGSL Local Security Checks | critical |
| 138776 | NewStart CGSL MAIN 6.01 : thunderbird Multiple Vulnerabilities (NS-SA-2020-0036) | Nessus | NewStart CGSL Local Security Checks | critical |
| 136894 | Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : Thunderbird vulnerabilities (USN-4373-1) | Nessus | Ubuntu Local Security Checks | critical |
| 136776 | CentOS 7 : thunderbird (CESA-2020:2050) | Nessus | CentOS Local Security Checks | critical |
| 136775 | CentOS 6 : thunderbird (CESA-2020:2049) | Nessus | CentOS Local Security Checks | critical |
| 136773 | CentOS 7 : firefox (CESA-2020:2037) | Nessus | CentOS Local Security Checks | critical |
| 136772 | CentOS 6 : firefox (CESA-2020:2036) | Nessus | CentOS Local Security Checks | critical |
| 136752 | Amazon Linux 2 : thunderbird (ALAS-2020-1429) | Nessus | Amazon Linux Local Security Checks | critical |
| 136658 | SUSE SLED15 / SLES15 Security Update : MozillaThunderbird (SUSE-SU-2020:1225-1) | Nessus | SuSE Local Security Checks | critical |
| 136654 | SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2020:1218-1) | Nessus | SuSE Local Security Checks | critical |
| 136649 | SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2020:1209-1) | Nessus | SuSE Local Security Checks | critical |
| 136600 | Oracle Linux 8 : thunderbird (ELSA-2020-2046) | Nessus | Oracle Linux Local Security Checks | critical |
| 136545 | Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : Firefox regression (USN-4353-2) | Nessus | Ubuntu Local Security Checks | critical |
| 136543 | Oracle Linux 7 : thunderbird (ELSA-2020-2050) | Nessus | Oracle Linux Local Security Checks | critical |
| 136541 | GLSA-202005-04 : Mozilla Firefox: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
| 136540 | GLSA-202005-03 : Mozilla Thunderbird: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | critical |
| 136487 | Scientific Linux Security Update : thunderbird on SL7.x x86_64 (20200511) | Nessus | Scientific Linux Local Security Checks | critical |
| 136486 | Scientific Linux Security Update : thunderbird on SL6.x i386/x86_64 (20200511) | Nessus | Scientific Linux Local Security Checks | critical |
| 136477 | RHEL 6 : thunderbird (RHSA-2020:2049) | Nessus | Red Hat Local Security Checks | critical |
| 136476 | RHEL 8 : thunderbird (RHSA-2020:2046) | Nessus | Red Hat Local Security Checks | critical |
| 136475 | RHEL 7 : thunderbird (RHSA-2020:2050) | Nessus | Red Hat Local Security Checks | critical |
| 136471 | RHEL 8 : thunderbird (RHSA-2020:2047) | Nessus | Red Hat Local Security Checks | critical |
| 136470 | RHEL 8 : thunderbird (RHSA-2020:2048) | Nessus | Red Hat Local Security Checks | critical |
| 136461 | openSUSE Security Update : MozillaThunderbird (openSUSE-2020-643) | Nessus | SuSE Local Security Checks | critical |
| 136450 | openSUSE Security Update : MozillaFirefox (openSUSE-2020-621) | Nessus | SuSE Local Security Checks | critical |
| 136431 | Debian DSA-4683-1 : thunderbird - security update | Nessus | Debian Local Security Checks | critical |
| 136428 | Debian DLA-2206-1 : thunderbird security update | Nessus | Debian Local Security Checks | critical |
| 136427 | Debian DLA-2205-1 : firefox-esr security update | Nessus | Debian Local Security Checks | critical |
| 136420 | Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : firefox vulnerabilities (USN-4353-1) | Nessus | Ubuntu Local Security Checks | critical |
| 136418 | Oracle Linux 7 : firefox (ELSA-2020-2037) | Nessus | Oracle Linux Local Security Checks | critical |
| 136404 | Mozilla Firefox < 76.0 | Nessus | Windows | critical |
| 136403 | Mozilla Firefox < 76.0 | Nessus | MacOS X Local Security Checks | critical |
| 136392 | Slackware 14.2 / current : mozilla-firefox (SSA:2020-126-01) | Nessus | Slackware Local Security Checks | critical |
| 136390 | Scientific Linux Security Update : firefox on SL7.x x86_64 (20200506) | Nessus | Scientific Linux Local Security Checks | critical |
| 136389 | Scientific Linux Security Update : firefox on SL6.x i386/x86_64 (20200506) | Nessus | Scientific Linux Local Security Checks | critical |
| 136374 | Debian DSA-4678-1 : firefox-esr - security update | Nessus | Debian Local Security Checks | critical |
| 136359 | Mozilla Thunderbird < 68.8.0 | Nessus | Windows | critical |
| 136358 | Mozilla Thunderbird < 68.8.0 | Nessus | MacOS X Local Security Checks | critical |
| 136357 | Mozilla Firefox ESR < 68.8 | Nessus | Windows | critical |
| 136356 | Mozilla Firefox ESR < 68.8 | Nessus | MacOS X Local Security Checks | critical |
| 136354 | RHEL 6 : firefox (RHSA-2020:2036) | Nessus | Red Hat Local Security Checks | critical |
| 136351 | RHEL 7 : firefox (RHSA-2020:2037) | Nessus | Red Hat Local Security Checks | critical |
| 136344 | RHEL 8 : firefox (RHSA-2020:2033) | Nessus | Red Hat Local Security Checks | critical |
| 136343 | RHEL 8 : firefox (RHSA-2020:2032) | Nessus | Red Hat Local Security Checks | critical |
| 136342 | RHEL 8 : firefox (RHSA-2020:2031) | Nessus | Red Hat Local Security Checks | critical |