SB2020072961 - Arbitrary file upload in firefox-esr (Alpine package)
Published: July 29, 2020
Security Bulletin ID
SB2020072961
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Arbitrary file upload (CVE-ID: CVE-2020-15649)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 68.11.
Remediation
Install update from vendor's website.