CVE-2020-35112
First published: Tue Dec 15 2020(Updated: )
If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <84.0 | |
| Firefox ESR | <78.6.0 | |
| Thunderbird | <78.6.0 | |
| Microsoft Windows | ||
| Thunderbird | <78.6 | 78.6 |
| Firefox | <84 | 84 |
| Firefox ESR | <78.6 | 78.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1661365
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/
- https://www.mozilla.org/security/advisories/mfsa2020-54/
- https://www.mozilla.org/security/advisories/mfsa2020-55/
- https://www.mozilla.org/security/advisories/mfsa2020-56/
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2020-35112?
CVE-2020-35112 is categorized as a high severity vulnerability.
How do I fix CVE-2020-35112?
To fix CVE-2020-35112, update to Mozilla Firefox version 84 and later or Firefox ESR version 78.6 and later.
What is the impact of CVE-2020-35112?
The impact of CVE-2020-35112 is that it could lead to unintended execution of executable files when opening files without extensions.
Which software versions are affected by CVE-2020-35112?
CVE-2020-35112 affects Mozilla Firefox versions prior to 84, Firefox ESR versions prior to 78.6, and Thunderbird versions prior to 78.6.
What platforms are vulnerable to CVE-2020-35112?
CVE-2020-35112 affects users on the Windows operating system.
- agent/type
- agent/first-publish-date
- agent/references
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- vendor/mozilla
- canonical/firefox
- canonical/firefox esr
- canonical/thunderbird
- vendor/microsoft
- canonical/microsoft windows