#VU45688 Input validation error - CVE-2020-15650

Cybersecurity Help s.r.o.

Published: 2020-08-10 | Updated: 2020-08-13

Vulnerability identifier: #VU45688

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-15650

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile). *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.

Mitigation
Install update from vendor's website.

External links
https://bugzilla.mozilla.org/show_bug.cgi?id=1652360
https://www.mozilla.org/security/advisories/mfsa2020-31/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in mozjs68 (Alpine package)

Input validation error in firefox-esr (Alpine package)