First published 2 July 2026
CVSS:3.1: 6.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
A security vulnerability regarding file downloads in web browsers has been found in IGEL OS. This affects the following product versions:
-
IGEL OS 12
-
IGEL OS 11
Details
A penetration test commissioned by IGEL has found a security issue with file downloads in web browsers on IGEL OS. MIME types and file extensions that are allowlisted to be downloaded and auto-opened in Chromium or Firefox could be used to overwrite settings files in the user’s home directory.
Mitigation
Chromium on OS 12
-
In the profile configurator, go to Apps > Chromium Browser > Global Settings > Security & Encryption.
-
Activate Block Downloads.
-
In Download allowlist, remove image/tiff (unless you wish to download TIFF images locally).
-
In Open file types automatically after downloading, remove image/tiff (unless you wish to download TIFF images locally).
Chromium on OS 11
-
Go to Sessions > Chromium Browser > Chromium Browser Global > Security.
-
In Download allowlist, remove image/tiff (unless you wish to download TIFF images locally).
Firefox on OS 12
-
Go to Apps > Firefox Browser > Global Settings > Security & Encryption.
-
In Open file types automatically after downloading, remove image/tiff (unless you wish to download TIFF images locally).
Firefox on OS 11
-
Go to Sessions > Firefox Browser > Firefox Browser Global > Security.
-
Activate Hide local filesystem. The local file system will not be shown in the dialogs for saving data. The user cannot change the location for saving files.
Update Instructions
-
OS 12:
-
Upgrade the Chromium app to version 149.0.7827.155 or newer as soon as it is available on the IGEL App Portal.
-
Upgrade the Firefox ESR app to version 140.13 or newer as soon as it is available on the IGEL App Portal.
-
-
OS 11: IGEL OS11 reached End of Maintenance (EOM) in June 2026. To continue receiving security updates, maintenance releases, and technical support, we recommend upgrading to IGEL OS12.
References
-
Configuration of the Chromium Browser in IGEL OS 12: https://kb.igel.com/en/igel-apps/current/configuration-of-the-chromium-browser-in-igel-os
-
Chromium Browser Global Session in IGEL OS 11: https://kb.igel.com/en/igel-os/current/security-1
-
Configuration of the Firefox ESR in IGEL OS 12: https://kb.igel.com/en/igel-apps/current/configuration-of-the-firefox-esr-in-igel-os
-
Firefox Browser Global Settings in IGEL OS 11:https://kb.igel.com/en/igel-os/current/security