Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-6811

Опубликовано: 10 мар. 2020
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.

The Mozilla Foundation Security Advisory describes this flaw as: The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5firefoxOut of support scope
Red Hat Enterprise Linux 5thunderbirdOut of support scope
Red Hat Enterprise Linux 6firefoxFixedRHSA-2020:081616.03.2020
Red Hat Enterprise Linux 6thunderbirdFixedRHSA-2020:091423.03.2020
Red Hat Enterprise Linux 7firefoxFixedRHSA-2020:081516.03.2020
Red Hat Enterprise Linux 7thunderbirdFixedRHSA-2020:090519.03.2020
Red Hat Enterprise Linux 8firefoxFixedRHSA-2020:082016.03.2020
Red Hat Enterprise Linux 8thunderbirdFixedRHSA-2020:091923.03.2020
Red Hat Enterprise Linux 8.0 Update Services for SAP SolutionsfirefoxFixedRHSA-2020:081916.03.2020
Red Hat Enterprise Linux 8.0 Update Services for SAP SolutionsthunderbirdFixedRHSA-2020:091823.03.2020

Показывать по

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20->CWE-78
https://bugzilla.redhat.com/show_bug.cgi?id=1812202Mozilla: Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection

EPSS

Процентиль: 79%
0.01287
Низкий

8.8 High

CVSS3

Связанные уязвимости

CVSS3: 8.8
ubuntu
больше 5 лет назад

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.

CVSS3: 8.8
nvd
больше 5 лет назад

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.

CVSS3: 8.8
debian
больше 5 лет назад

The 'Copy as cURL' feature of Devtools' network tab did not properly e ...

CVSS3: 8.8
github
около 3 лет назад

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as Curl' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. This vulnerability affects Thunderbird < 68.6, Firefox < 74, Firefox < ESR68.6, and Firefox ESR < 68.6.

suse-cvrf
больше 5 лет назад

Security update for MozillaThunderbird

EPSS

Процентиль: 79%
0.01287
Низкий

8.8 High

CVSS3