CVE-2020-35112

NameCVE-2020-35112
DescriptionIf a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid88.0-1fixed
firefox-esr (PTS)stretch68.10.0esr-1~deb9u1fixed
stretch (security)78.10.0esr-1~deb9u1fixed
buster78.8.0esr-1~deb10u1fixed
buster (security)78.10.0esr-1~deb10u1fixed
bullseye, sid78.10.0esr-1fixed
thunderbird (PTS)stretch1:68.10.0-1~deb9u1fixed
stretch (security)1:78.10.0-1~deb9u1fixed
buster1:78.6.0-1~deb10u1fixed
buster (security)1:78.10.0-1~deb10u1fixed
bullseye, sid1:78.10.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)(not affected)
firefox-esrsource(unstable)(not affected)
thunderbirdsource(unstable)(not affected)

Notes

- firefox <not-affected> (Only affects Windows)
- firefox-esr <not-affected> (Only affects Windows)
- thunderbird <not-affected> (only affects Windows)
https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-35112
https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/#CVE-2020-35112
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/#CVE-2020-35112

Search for package or bug name: Reporting problems