公告ID: KYLIN-2019-11730
安全等级: 中等
产品: Kylin V3
发布日期: 2019年7月10日
CVE: CVE-2019-11730
CVSS3评分: 6.1
概述:
None 描述:
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. 系统版本:
KYLIN 3.0.x
KYLIN 3.2.x
KYLIN 3.2.x
KYLIN 3.3.x
KYLIN 3.3.x
KYLIN 3.4.x
KYLIN 3.4.x
受影响包列表:
firefox
firefox-60.8.0-1.el6_10
thunderbird-60.8.0-1.el6_10
firefox-60.8.0-1.el7_6
thunderbird-60.8.0-1.el7_6
firefox-60.8.0-1.el8_0
thunderbird-60.8.0-1.el8_0