First published: Tue Apr 11 2023(Updated: )
Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user. *This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Firefox ESR | <102.10 | 102.10 |
Mozilla Firefox | <112 | 112 |
All of | ||
Mozilla Firefox | =112 | |
Google Android | ||
All of | ||
Mozilla Focus | =112 | |
Google Android | ||
<102.10 | 102.10 | |
<102.10 | 102.10 | |
Mozilla Firefox | <112.0 | |
Mozilla Firefox ESR | <102.10 | |
Mozilla Thunderbird | <102.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2023-29545 is a vulnerability in Thunderbird on Windows that allows suggested filenames to contain environment variable names that are resolved in the user's context.
CVE-2023-29545 affects Thunderbird on Windows, but other versions of Thunderbird are unaffected.
CVE-2023-29545 has a severity level of medium.
To fix CVE-2023-29545, update Thunderbird to the latest version.
You can find more information about CVE-2023-29545 in the references provided: [Link 1](https://bugzilla.mozilla.org/show_bug.cgi?id=1823077), [Link 2](https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/), [Link 3](https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/).