{"api_version":"1","generated_at":"2026-04-23T00:39:37+00:00","cve":"CVE-2020-35112","urls":{"html":"https://cve.report/CVE-2020-35112","api":"https://cve.report/api/cve/CVE-2020-35112.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-35112","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-35112"},"summary":{"title":"CVE-2020-35112","description":"If a user downloaded a file lacking an extension on Windows, and then \"Open\"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2021-01-07 14:15:00","updated_at":"2021-01-12 19:01:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://www.mozilla.org/security/advisories/mfsa2020-55/","name":"https://www.mozilla.org/security/advisories/mfsa2020-55/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox ESR 78.6 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-54/","name":"https://www.mozilla.org/security/advisories/mfsa2020-54/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox 84 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-56/","name":"https://www.mozilla.org/security/advisories/mfsa2020-56/","refsource":"MISC","tags":["Vendor Advisory"],"title":"Security Vulnerabilities fixed in Thunderbird 78.6 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1661365","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1661365","refsource":"MISC","tags":["Permissions Required"],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-35112","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35112","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"35112","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"35112","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"35112","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"35112","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"35112","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"35112","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"35112","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"35112","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-35112","qid":"500938","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2020-35112","qid":"500958","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2020-35112","qid":"502377","title":"Alpine Linux Security Update for thunderbird"},{"cve":"CVE-2020-35112","qid":"503843","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2020-35112","qid":"750467","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2020:2325-1)"},{"cve":"CVE-2020-35112","qid":"750468","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2020:2324-1)"},{"cve":"CVE-2020-35112","qid":"750469","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2020:2317-1)"},{"cve":"CVE-2020-35112","qid":"750470","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2020:2318-1)"},{"cve":"CVE-2020-35112","qid":"750471","title":"OpenSUSE Security Update for MozillaThunderbird (openSUSE-SU-2020:2317-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-35112","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"84","version_affected":"<"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"78.6","version_affected":"<"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"78.6","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Opening an extension-less download may have inadvertently launched an executable instead"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2020-54/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2020-54/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-56/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2020-56/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-55/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2020-55/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1661365","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1661365"}]},"description":{"description_data":[{"lang":"eng","value":"If a user downloaded a file lacking an extension on Windows, and then \"Open\"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6."}]}},"nvd":{"publishedDate":"2021-01-07 14:15:00","lastModifiedDate":"2021-01-12 19:01:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"84.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"78.6.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"78.6.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"35112","Ordinal":"193618","Title":"CVE-2020-35112","CVE":"CVE-2020-35112","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"35112","Ordinal":"1","NoteData":"If a user downloaded a file lacking an extension on Windows, and then \"Open\"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"35112","Ordinal":"2","NoteData":"2021-01-07","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"35112","Ordinal":"3","NoteData":"2021-01-07","Type":"Other","Title":"Modified"}]}}}