Merge branch 'master' of github.com:mozilla/foundation-security-advis…

…ories-private
mozilla · Jul 29, 2020 · 1c49329 · 1c49329
2 parents a89ca49 + 285985c
commit 1c49329
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/announce/2020/mfsa2020-31.yml b/announce/2020/mfsa2020-31.yml
@@ -31,6 +31,24 @@ advisories:
       Crafted media files could lead to a race in texture caches, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.
     bugs:
       - url: 1635293
+  CVE-2020-15650:
+    title: Overwriting local files through malicious file picker application
+    impact: moderate
+    reporter: Pedro Oliveira
+    description: |
+      Given an installed malicious file picker application, an attacker was able to overwrite local files and thus overwrite Firefox settings (but not access the previous profile).
+      <br>*Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*
+    bugs:
+      - url: 1652360
+  CVE-2020-15649:
+    title: Exfiltrating local files through malicious file picker application
+    impact: moderate
+    reporter: Pedro Oliveira
+    description: |
+      Given an installed malicious file picker application, an attacker was able to steal and upload local files of their choosing, regardless of the actually files picked.
+      <br>*Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*
+    bugs:
+      - url: 1652364
   CVE-2020-15659:
     title: Memory safety bugs fixed in Firefox 79 and Firefox ESR 68.11
     impact: high

diff --git a/announce/2020/mfsa2020-34.yml b/announce/2020/mfsa2020-34.yml
@@ -0,0 +1,31 @@
+## mfsa2020-34.yml
+announced: July 28, 2020 
+impact: high
+fixed_in:
+- Firefox for iOS 28
+title: Security Vulnerabilities fixed in Firefox for iOS 28
+advisories:
+  CVE-2020-15662:
+    title: Download JS user script can be overidden
+    impact: high
+    reporter: Muneaki Nishimura
+    description: |
+      A rogue webpage could override the injected WKUserScript used by the download feature, this exploit could result in the user downloading an unintended file.
+    bugs:
+      - url: 1653827
+  CVE-2020-15661:
+    title: Login JS user script can be overidden
+    impact: high
+    reporter: Muneaki Nishimura
+    description: |
+      A rogue webpage could override the injected WKUserScript used by the logins autofill, this exploit could result in leaking a password for the current domain.
+    bugs:
+      - url: 1654131
+  CVE-2020-15651:
+    title: 'Download Feature: unicode RTLO char can fake the file extension'
+    impact: low
+    reporter: superxx
+    description: |
+      A unicode RTL order character in the downloaded file name can be used to change the file's name during the download UI flow to change the file extension.
+    bugs:
+      - url: 1649160