ISN 2026-25: IGEL OS File Overwrite Vulnerability

First published 2 July 2026

CVSS:3.1: 6.3 (Medium)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Summary

A security vulnerability regarding file downloads in web browsers has been found in IGEL OS. This affects the following product versions:

  • IGEL OS 12

  • IGEL OS 11

Details

A penetration test commissioned by IGEL has found a security issue with file downloads in web browsers on IGEL OS. MIME types and file extensions that are allowlisted to be downloaded and auto-opened in Chromium or Firefox could be used to overwrite settings files in the user’s home directory.

Mitigation

Chromium on OS 12

  1. In the profile configurator, go to Apps > Chromium Browser > Global Settings > Security & Encryption.

  1. Activate Block Downloads.

  1. In Download allowlist, remove image/tiff (unless you wish to download TIFF images locally).

  1. In Open file types automatically after downloading, remove image/tiff (unless you wish to download TIFF images locally).

Chromium on OS 11

  1. Go to Sessions > Chromium Browser > Chromium Browser Global > Security.

  1. In Download allowlist, remove image/tiff (unless you wish to download TIFF images locally).

Firefox on OS 12

  1. Go to Apps > Firefox Browser > Global Settings > Security & Encryption.

  1. In Open file types automatically after downloading, remove image/tiff (unless you wish to download TIFF images locally).

Firefox on OS 11

  1. Go to Sessions > Firefox Browser > Firefox Browser Global > Security.

  1. Activate Hide local filesystem. The local file system will not be shown in the dialogs for saving data. The user cannot change the location for saving files.

Update Instructions

  • OS 12:

    • Upgrade the Chromium app to version 149.0.7827.155 or newer as soon as it is available on the IGEL App Portal.

    • Upgrade the Firefox ESR app to version 140.13 or newer as soon as it is available on the IGEL App Portal.

  • OS 11: IGEL OS11 reached End of Maintenance (EOM) in June 2026. To continue receiving security updates, maintenance releases, and technical support, we recommend upgrading to IGEL OS12.

References