CVE-2023-29542: A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk ...

0.0 CVSS

Description

A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk with .download. This could have led to accidental execution of malicious code.

*This bug only affects Firefox and Thunderbird on Windows. Other versions of Firefox and Thunderbird are unaffected.* This vulnerability affects Firefox < 112, Firefox ESR < 102.10, and Thunderbird < 102.10.

Classification

CVE ID: CVE-2023-29542

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: Mozilla

Product: Firefox

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.33% (probability of being exploited)

EPSS Percentile: 70.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1810793
https://bugzilla.mozilla.org/show_bug.cgi?id=1815062
https://www.mozilla.org/security/advisories/mfsa2023-13/
https://www.mozilla.org/security/advisories/mfsa2023-14/
https://www.mozilla.org/security/advisories/mfsa2023-15/

Timeline

2024-12-12 00:30:35 UTC
CVE

A newline in a filename could have been used to bypass the file extension security mechanisms that replace malicious file extensions such as .lnk ...