Information Exposure Affecting firefox-esr package, versions <68.8.0esr-1


0.0
medium

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    EPSS 0.05% (14th percentile)
Expand this section
NVD
5.5 medium
Expand this section
SUSE
5.5 medium
Expand this section
Red Hat
6.1 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN12-FIREFOXESR-1546166
  • published 5 May 2020
  • disclosed 26 May 2020

How to fix?

Upgrade Debian:12 firefox-esr to version 68.8.0esr-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream firefox-esr package and not the firefox-esr package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0.