CVE-2020-15658

NameCVE-2020-15658
DescriptionThe code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid81.0-2fixed
thunderbird (PTS)stretch1:68.10.0-1~deb9u1fixed
stretch (security)1:68.12.0-1~deb9u2fixed
buster1:68.10.0-1~deb10u1fixed
buster (security)1:68.12.0-1~deb10u1fixed
bullseye, sid1:68.12.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)79.0-1
thunderbirdsource(unstable)(not affected)

Notes

- thunderbird <not-affected> (Only affects Thunderbird 78.x)
https://www.mozilla.org/en-US/security/advisories/mfsa2020-32/#CVE-2020-15658
https://www.mozilla.org/en-US/security/advisories/mfsa2020-33/#CVE-2020-15658

Search for package or bug name: Reporting problems