First published: Tue Feb 11 2020(Updated: )
By downloading a file with the .fileloc extension, a semi-privileged extension could launch an arbitrary application on the user's computer. The attacker is restricted as they are unable to download non-quarantined files or supply command line arguments to the application, limiting the impact. Note: this issue only occurs on Mac OSX. Other operating systems are unaffected. This vulnerability affects Thunderbird < 68.5, Firefox < 73, and Firefox < ESR68.5.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox ESR | <68.5 | 68.5 |
<73 | 73 | |
<68.5 | 68.5 | |
<68.5 | 68.5 | |
Mozilla Firefox | <73.0 | |
Mozilla Firefox ESR | <68.5.0 | |
Mozilla Thunderbird | <68.5.0 | |
Apple macOS |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2020-6797 is a vulnerability that allows a semi-privileged extension to launch an arbitrary application on a user's computer.
CVE-2020-6797 works by exploiting the download of a file with the .fileloc extension to execute a malicious application.
The impact of CVE-2020-6797 is limited, as the attacker is unable to download non-quarantined files or supply command line arguments to the application.
Mozilla Firefox ESR versions up to 68.5 and Mozilla Firefox versions up to 73.0 are affected by CVE-2020-6797.
To mitigate CVE-2020-6797, it is recommended to update to Mozilla Firefox ESR version 68.5.0 or newer, or Mozilla Firefox version 73.0 or newer.