CVE-2024-5692
MEDIUMFirefox < 127 and ESR < 115.12 - Unauthenticated File Extension Spoofing via Invalid Character in Save As Dialog
Title source: llmDescription
On Windows 10, when using the 'Save As' functionality, an attacker could have tricked the browser into saving the file with a disallowed extension such as `.url` by including an invalid character in the extension. *Note:* This issue only affected Windows operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12.
References (4)
Core 4
Core References
Exploit, Issue Tracking
https://bugzilla.mozilla.org/show_bug.cgi?id=1891234
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-25/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-26/
Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2024-28/
Scores
CVSS v3
6.5
EPSS
0.0032
EPSS Percentile
54.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
Status
published
Products (3)
mozilla/firefox
< 115.12
mozilla/firefox
< 127.0
mozilla/thunderbird
< 115.12
Published
Jun 11, 2024
Tracked Since
Feb 18, 2026