Windows File Download Path Manipulation Vulnerability

Windows File Download Path Manipulation Vulnerability

CVE-2022-31739 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

When downloading files on Windows, the % character was not escaped, which could have lead to a download incorrectly being saved to attacker-influenced paths that used variables such as %HOMEPATH% or %APPDATA%.<br>*This bug only affects Firefox for Windows. Other operating systems are unaffected.*. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.

Learn more about our Cis Benchmark Audit For Operating Systems.