First published: Tue Feb 11 2020(Updated: )
Command line arguments could have been injected during Firefox invocation as a shell handler for certain unsupported file types. This required Firefox to be configured as the default handler for a given file type and for a file downloaded to be opened in a third party application that insufficiently sanitized URL data. In that situation, clicking a link in the third party application could have been used to retrieve and execute files whose location was supplied through command line arguments. Note: This issue only affects Windows operating systems and when Firefox is configured as the default handler for non-default filetypes. Other operating systems are unaffected.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox ESR | <68.5 | 68.5 |
Mozilla Firefox | <73 | 73 |
Mozilla Firefox | <73.0 | |
Mozilla Firefox ESR | <68.5.0 | |
Microsoft Windows |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
The severity of CVE-2020-6799 is high, with a severity value of 8.8.
CVE-2020-6799 affects Mozilla Firefox versions up to 68.5 (Firefox ESR) and up to 73.0 (Mozilla Firefox).
To fix CVE-2020-6799 in Mozilla Firefox, update to version 68.5 or higher for Firefox ESR, or version 73 or higher for Mozilla Firefox.
No, Microsoft Windows systems are not vulnerable to CVE-2020-6799.
You can find more information about CVE-2020-6799 at the following references: [Bugzilla](https://bugzilla.mozilla.org/show_bug.cgi?id=1606596), [Mozilla Security Advisories](https://www.mozilla.org/en-US/security/advisories/mfsa2020-06/), and [Gentoo Security](https://security.gentoo.org/glsa/202003-02).