CVE-2020-12392

CVSS v3.1 5.5 (Medium)

CVSS v2.0 2.1 (Low)

EPSS 0.05 % (17^th)

Affected Products 4

Advisories 31

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.

Weaknesses

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE Status: PUBLISHED
CNA: Mozilla Corporation
Published Date: 2020-05-26 18:15:11
(4 years ago)
Updated Date: 2022-04-26 19:12:40
(2 years ago)

Affected Products

Canonical

Ubuntu Linux

Mozilla

Configuration #1

	CPE23	Up To
Mozilla Firefox prior 76.0 version	cpe:2.3:a:mozilla:firefox	< 76.0
Mozilla Firefox Esr prior 68.8.0 version	cpe:2.3:a:mozilla:firefox_esr	< 68.8.0
Mozilla Thunderbird prior 68.8.0 version	cpe:2.3:a:mozilla:thunderbird	< 68.8.0

Configuration #2

		CPE23	From	Up To
	Canonical Ubuntu Linux 16.04	cpe:2.3:o:canonical:ubuntu_linux:16.04:::*:esm
	Canonical Ubuntu Linux 18.04	cpe:2.3:o:canonical:ubuntu_linux:18.04:::*:lts
	Canonical Ubuntu Linux 19.10	cpe:2.3:o:canonical:ubuntu_linux:19.10
	Canonical Ubuntu Linux 20.04	cpe:2.3:o:canonical:ubuntu_linux:20.04:::*:lts