Lucene search

[email protected]CVE-2020-6828

HistoryApr 24, 2020 - 4:15 p.m.

CVE-2020-6828

2020-04-2416:15:13

CWE-22

[email protected]

web.nvd.nist.gov

178

cve-2020-6828

android

intent

firefox

security

file overwrite

user profile

arbitrary preferences

code execution

vulnerability

nvd

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.4%

JSON

A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user’s profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference values. Control of arbitrary preferences can lead to sufficient compromise such that it is generally equivalent to arbitrary code execution.<br> Note: This issue only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox ESR < 68.7.

Affected configurations

Vulners

NVD

Node

mozillafirefox_esrRange≤68.7

VendorProductVersionCPE
mozillafirefox_esr*cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox_esr	*	cpe:2.3:a:mozilla:firefox_esr::::::::

CNA Affected

[
  {
    "product": "Firefox ESR",
    "vendor": "Mozilla",
    "versions": [
      {
        "lessThan": "68.7",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]