CVE-2024-32986 – Arbitrary code execution due to improper sanitization of web app properties in PWAsForFirefox

https://notcve.org/view.php?id=CVE-2024-32986

03 May 2024 — PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and `AppInfo.ini` (on PortableApps.com). This allowed malicious web apps to introduce keys like `Exec`, which could run arbitrary code when the affected web app was launched. This vulnerability affects all Linux and PortableApps.com users ... • https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •