First published: Tue Apr 07 2020(Updated: )
A malicious Android application could craft an Intent that would have been processed by Firefox for Android and potentially result in a file overwrite in the user's profile directory. One exploitation vector for this would be to supply a user.js file providing arbitrary malicious preference values. Control of arbitrary preferences can lead to sufficient compromise such that it is generally equivalent to arbitrary code execution. Note: This issue only affects Firefox for Android. Other operating systems are unaffected.
Credit: security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox ESR | <68.7 | 68.7 |
<68.7 | 68.7 | |
Mozilla Firefox ESR | <68.7.0 | |
Google Android |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2020-6828 is a vulnerability in Firefox for Android that allows a malicious Android application to overwrite files in the user's profile directory.
A malicious Android application can exploit CVE-2020-6828 by crafting an Intent that would be processed by Firefox for Android and result in a file overwrite in the user's profile directory.
CVE-2020-6828 has a severity level of high.
Versions up to and including Firefox ESR 68.7 are affected by CVE-2020-6828.
To fix CVE-2020-6828, update Firefox for Android to a version higher than 68.7.