CVE-2020-12393

CVE-2020-12393

Name

CVE-2020-12393

Description

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://www.mozilla.org/security/advisories/mfsa2020-17/
Vendor Advisory	https://www.mozilla.org/security/advisories/mfsa2020-18/
Vendor Advisory	https://www.mozilla.org/security/advisories/mfsa2020-16/
Permissions Required	https://bugzilla.mozilla.org/show_bug.cgi?id=1615471

Type

URI

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-17/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-18/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-16/

Permissions Required

https://bugzilla.mozilla.org/show_bug.cgi?id=1615471

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
thunderbird	edge-community	68.8.0-r0	None	fixed
thunderbird	3.22-community	68.8.0-r0	None	fixed
thunderbird	3.21-community	68.8.0-r0	None	fixed
thunderbird	3.20-community	68.8.0-r0	None	fixed
thunderbird	3.19-community	68.8.0-r0	None	fixed
thunderbird	3.18-community	68.8.0-r0	None	fixed
thunderbird	3.17-community	68.8.0-r0	None	fixed
librewolf	edge-community	76.0-r0	None	fixed
librewolf	3.22-community	76.0-r0	None	fixed
librewolf	3.21-community	76.0-r0	None	fixed
firefox-esr	edge-community	68.8.0-r0	None	fixed
firefox-esr	3.22-community	68.8.0-r0	None	fixed
firefox-esr	3.21-community	68.8.0-r0	None	fixed
firefox-esr	3.20-community	68.8.0-r0	None	fixed
firefox-esr	3.19-community	68.8.0-r0	None	fixed
firefox-esr	3.18-community	68.8.0-r0	None	fixed
firefox-esr	3.17-community	68.8.0-r0	None	fixed
firefox	edge-community	76.0-r0	None	fixed
firefox	3.22-community	76.0-r0	None	fixed
firefox	3.21-community	76.0-r0	None	fixed
firefox	3.20-community	76.0-r0	None	fixed
firefox	3.19-community	76.0-r0	None	fixed
firefox	3.18-community	76.0-r0	None	fixed
firefox	3.17-community	76.0-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

thunderbird

edge-community

68.8.0-r0

None

fixed

thunderbird

3.22-community