Firefox <112 ESR<102.10 Reflected Download via NULL Filename Truncation
CVE-2023-29539 Published on June 2, 2023

When handling the filename directive in the Content-Disposition header, the filename would be truncated if the filename contained a NULL character. This could have led to reflected file download attacks potentially tricking users to install malware. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10.

NVD

Products Associated with CVE-2023-29539

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-29539 are published in these products:

Canonical Ubuntu Linux

Mozilla Thunderbird

Mozilla Focus

Mozilla FireFox Extended Support Release (ESR)

Mozilla Firefox

Affected Versions

Mozilla Firefox:

Version unspecified and below 112 is affected.

Mozilla Focus for Android:

Version unspecified and below 112 is affected.

Mozilla Firefox ESR:

Version unspecified and below 102.10 is affected.

Mozilla Firefox for Android:

Version unspecified and below 112 is affected.

Mozilla Thunderbird:

Version unspecified and below 102.10 is affected.

Exploit Probability

EPSS

0.20%

Percentile

41.45%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

Firefox <112 ESR<102.10 Reflected Download via NULL Filename TruncationCVE-2023-29539 Published on June 2, 2023

Products Associated with CVE-2023-29539

Affected Versions

Exploit Probability

Firefox <112 ESR<102.10 Reflected Download via NULL Filename Truncation
CVE-2023-29539 Published on June 2, 2023