CVE-2023-29545
Public on 2023-04-11
Modified on 2024-01-19
Description
The Mozilla Foundation describes this issue as follows:
Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user.
This bug only affects Thunderbird on Windows. Other versions of Thunderbird are unaffected.
This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.
Similar to CVE-2023-28163, this time when choosing 'Save Link As', suggested filenames containing environment variable names would have resolved those in the context of the current user.
This bug only affects Thunderbird on Windows. Other versions of Thunderbird are unaffected.
This bug only affects Firefox on Windows. Other versions of Firefox are unaffected.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Firefox Extra | firefox | Not Affected | ||
| Amazon Linux 2 - Core | thunderbird | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| NVD | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |