Vulnerability-Lookup

WID-SEC-W-2026-0337

Vulnerability from csaf_certbund - Published: 2020-11-17 23:00 - Updated: 2026-02-08 23:00

Summary

Mozilla Firefox und Thunderbird: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Firefox ist ein Open Source Web Browser. ESR ist die Variante mit verlängertem Support. Thunderbird ist ein Open Source E-Mail Client.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Mozilla Firefox, Mozilla Firefox ESR, Mozilla Thunderbird ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen, den Speicher zu korrumpieren, Daten zu manipulieren, vertrauliche Daten einzusehen, Sicherheitsmechanismen zu umgehen oder einen Cross Site Scripting Angriff durchzuführen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2020-15999

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-16012

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26951

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26952

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26953

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26954

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26955

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26956

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26957

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26958

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26959

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26960

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26961

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26962

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26963

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26964

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26965

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26966

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26967

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26968

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

CVE-2020-26969

Affected products

Known affected 11 products

Product	Identifier	Version
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
SUSE Linux SUSE	`cpe:/o:suse:suse_linux:-`	—
Red Hat Enterprise Linux Red Hat	`cpe:/o:redhat:enterprise_linux:-`	—
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
Mozilla Firefox <83 Mozilla / Firefox		<83
Open Source Arch Linux Open Source	`cpe:/o:archlinux:archlinux:-`	—
Mozilla Firefox ESR <78.5 Mozilla / Firefox ESR		<78.5
Mozilla Thunderbird <78.5 Mozilla / Thunderbird		<78.5
Gentoo Linux Gentoo	`cpe:/o:gentoo:linux:-`	—
Open Source CentOS Open Source	`cpe:/o:centos:centos:-`	—
Oracle Linux Oracle	`cpe:/o:oracle:linux:-`	—

References

40 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://www.mozilla.org/en-US/security/advisories…	external
https://security.archlinux.org/ASA-202011-12/generate	external
https://lists.debian.org/debian-lts-announce/2020…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://ubuntu.com/security/notices/USN-4637-2	external
https://www.debian.org/security/2020/dsa-4793	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://www.debian.org/security/2020/dsa-4796	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.debian.org/debian-lts-announce/2020…	external
https://ubuntu.com/security/notices/USN-4647-1	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://lists.suse.com/pipermail/sle-security-upd…	external
https://access.redhat.com/errata/RHSA-2020:5240	external
https://access.redhat.com/errata/RHSA-2020:5231	external
https://access.redhat.com/errata/RHSA-2020:5233	external
https://access.redhat.com/errata/RHSA-2020:5236	external
https://access.redhat.com/errata/RHSA-2020:5232	external
https://access.redhat.com/errata/RHSA-2020:5234	external
https://access.redhat.com/errata/RHSA-2020:5238	external
https://access.redhat.com/errata/RHSA-2020:5237	external
https://linux.oracle.com/errata/ELSA-2020-5237.html	external
https://access.redhat.com/errata/RHSA-2020:5235	external
https://access.redhat.com/errata/RHSA-2020:5239	external
https://access.redhat.com/errata/RHSA-2020:5257	external
https://linux.oracle.com/errata/ELSA-2020-5239.html	external
https://linux.oracle.com/errata/ELSA-2020-5235.html	external
https://linux.oracle.com/errata/ELSA-2020-5236.html	external
https://linux.oracle.com/errata/ELSA-2020-5257.html	external
https://access.redhat.com/errata/RHSA-2020:5314	external
https://linux.oracle.com/errata/ELSA-2020-5238.html	external
https://security.gentoo.org/glsa/202012-04	external
https://security.gentoo.org/glsa/202012-03	external
http://centos-announce.2309468.n4.nabble.com/Cent…	external
http://centos-announce.2309468.n4.nabble.com/Cent…	external
https://github.com/leopoldabgn/CVE-2020-16012-PoC	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Firefox ist ein Open Source Web Browser.\r\nESR ist die Variante mit verl\u00e4ngertem Support.\r\nThunderbird ist ein Open Source E-Mail Client.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Mozilla Firefox, Mozilla Firefox ESR, Mozilla Thunderbird ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuf\u00fchren, den Speicher zu korrumpieren, Daten zu manipulieren, vertrauliche Daten einzusehen, Sicherheitsmechanismen zu umgehen oder einen Cross Site Scripting Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0337 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2026-0337.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0337 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0337"
      },
      {
        "category": "external",
        "summary": "Mozilla Foundation Security Advisory vom 2020-11-17",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/"
      },
      {
        "category": "external",
        "summary": "Mozilla Foundation Security Advisory vom 2020-11-17",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/"
      },
      {
        "category": "external",
        "summary": "Mozilla Foundation Security Advisory vom 2020-11-17",
        "url": "https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/"
      },
      {
        "category": "external",
        "summary": "Arch Linux Security Advisory",
        "url": "https://security.archlinux.org/ASA-202011-12/generate"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-2457 vom 2020-11-19",
        "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00034.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:3383-1 vom 2020-11-19",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-November/007797.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-4637-2 vom 2020-11-19",
        "url": "https://ubuntu.com/security/notices/USN-4637-2"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-4793 vom 2020-11-19",
        "url": "https://www.debian.org/security/2020/dsa-4793"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:3458-1 vom 2020-11-20",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-November/007823.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-4796 vom 2020-11-22",
        "url": "https://www.debian.org/security/2020/dsa-4796"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:14548-1 vom 2020-11-20",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-November/007825.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-2464 vom 2020-11-23",
        "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00042.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-4647-1 vom 2020-11-26",
        "url": "https://ubuntu.com/security/notices/USN-4647-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:3528-1 vom 2020-11-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-November/007870.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2020:3548-1 vom 2020-11-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2020-November/007883.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5240 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5240"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5231 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5231"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5233 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5233"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5236 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5236"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5232 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5232"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5234 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5234"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5238 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5238"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5237 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5237"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2020-5237 vom 2020-12-01",
        "url": "https://linux.oracle.com/errata/ELSA-2020-5237.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5235 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5235"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5239 vom 2020-12-01",
        "url": "https://access.redhat.com/errata/RHSA-2020:5239"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5257 vom 2020-11-30",
        "url": "https://access.redhat.com/errata/RHSA-2020:5257"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2020-5239 vom 2020-12-01",
        "url": "https://linux.oracle.com/errata/ELSA-2020-5239.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2020-5235 vom 2020-11-30",
        "url": "https://linux.oracle.com/errata/ELSA-2020-5235.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2020-5236 vom 2020-12-01",
        "url": "https://linux.oracle.com/errata/ELSA-2020-5236.html"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2020-5257 vom 2020-12-01",
        "url": "https://linux.oracle.com/errata/ELSA-2020-5257.html"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2020:5314 vom 2020-12-01",
        "url": "https://access.redhat.com/errata/RHSA-2020:5314"
      },
      {
        "category": "external",
        "summary": "Oracle Linux Security Advisory ELSA-2020-5238 vom 2020-12-01",
        "url": "https://linux.oracle.com/errata/ELSA-2020-5238.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202012-04 vom 2020-12-07",
        "url": "https://security.gentoo.org/glsa/202012-04"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202012-03 vom 2020-12-07",
        "url": "https://security.gentoo.org/glsa/202012-03"
      },
      {
        "category": "external",
        "summary": "CentOS Security Advisory CESA-2020:5235 vom 2020-12-09",
        "url": "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2020-5235-Important-CentOS-7-thunderbird-Security-Update-tp4646079.html"
      },
      {
        "category": "external",
        "summary": "CentOS Security Advisory CESA-2020:5239 vom 2020-12-09",
        "url": "http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2020-5239-Important-CentOS-7-firefox-Security-Update-tp4646078.html"
      },
      {
        "category": "external",
        "summary": "PoC auf GitHub vom 2026-02-08",
        "url": "https://github.com/leopoldabgn/CVE-2020-16012-PoC"
      }
    ],
    "source_lang": "en-US",
    "title": "Mozilla Firefox und Thunderbird: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-02-08T23:00:00.000+00:00",
      "generator": {
        "date": "2026-02-09T08:27:36.388+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0337",
      "initial_release_date": "2020-11-17T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2020-11-17T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2020-11-18T23:00:00.000+00:00",
          "number": "2",
          "summary": "Korrektur"
        },
        {
          "date": "2020-11-19T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Debian, SUSE und Ubuntu aufgenommen"
        },
        {
          "date": "2020-11-22T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE und Debian aufgenommen"
        },
        {
          "date": "2020-11-23T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2020-11-25T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2020-11-26T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2020-11-29T23:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von SUSE und Red Hat aufgenommen"
        },
        {
          "date": "2020-11-30T23:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
        },
        {
          "date": "2020-12-01T23:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von Oracle Linux und Red Hat aufgenommen"
        },
        {
          "date": "2020-12-06T23:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Gentoo aufgenommen"
        },
        {
          "date": "2020-12-09T23:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von CentOS aufgenommen"
        },
        {
          "date": "2026-02-08T23:00:00.000+00:00",
          "number": "13",
          "summary": "PoC aufgenommen"
        }
      ],
      "status": "final",
      "version": "13"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c83",
                "product": {
                  "name": "Mozilla Firefox \u003c83",
                  "product_id": "T017724"
                }
              },
              {
                "category": "product_version",
                "name": "83",
                "product": {
                  "name": "Mozilla Firefox 83",
                  "product_id": "T017724-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:firefox:83"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Firefox"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c78.5",
                "product": {
                  "name": "Mozilla Firefox ESR \u003c78.5",
                  "product_id": "T017725"
                }
              },
              {
                "category": "product_version",
                "name": "78.5",
                "product": {
                  "name": "Mozilla Firefox ESR 78.5",
                  "product_id": "T017725-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:firefox_esr:78.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Firefox ESR"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c78.5",
                "product": {
                  "name": "Mozilla Thunderbird \u003c78.5",
                  "product_id": "T017726"
                }
              },
              {
                "category": "product_version",
                "name": "78.5",
                "product": {
                  "name": "Mozilla Thunderbird 78.5",
                  "product_id": "T017726-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mozilla:thunderbird:78.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Thunderbird"
          }
        ],
        "category": "vendor",
        "name": "Mozilla"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source Arch Linux",
            "product": {
              "name": "Open Source Arch Linux",
              "product_id": "T013312",
              "product_identification_helper": {
                "cpe": "cpe:/o:archlinux:archlinux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Open Source CentOS",
            "product": {
              "name": "Open Source CentOS",
              "product_id": "1727",
              "product_identification_helper": {
                "cpe": "cpe:/o:centos:centos:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Oracle Linux",
            "product": {
              "name": "Oracle Linux",
              "product_id": "T004914",
              "product_identification_helper": {
                "cpe": "cpe:/o:oracle:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Oracle"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Red Hat Enterprise Linux",
            "product": {
              "name": "Red Hat Enterprise Linux",
              "product_id": "67646",
              "product_identification_helper": {
                "cpe": "cpe:/o:redhat:enterprise_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-15999",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-15999"
    },
    {
      "cve": "CVE-2020-16012",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-16012"
    },
    {
      "cve": "CVE-2020-26951",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26951"
    },
    {
      "cve": "CVE-2020-26952",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26952"
    },
    {
      "cve": "CVE-2020-26953",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26953"
    },
    {
      "cve": "CVE-2020-26954",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26954"
    },
    {
      "cve": "CVE-2020-26955",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26955"
    },
    {
      "cve": "CVE-2020-26956",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26956"
    },
    {
      "cve": "CVE-2020-26957",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26957"
    },
    {
      "cve": "CVE-2020-26958",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26958"
    },
    {
      "cve": "CVE-2020-26959",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26959"
    },
    {
      "cve": "CVE-2020-26960",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26960"
    },
    {
      "cve": "CVE-2020-26961",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26961"
    },
    {
      "cve": "CVE-2020-26962",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26962"
    },
    {
      "cve": "CVE-2020-26963",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26963"
    },
    {
      "cve": "CVE-2020-26964",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26964"
    },
    {
      "cve": "CVE-2020-26965",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26965"
    },
    {
      "cve": "CVE-2020-26966",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26966"
    },
    {
      "cve": "CVE-2020-26967",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26967"
    },
    {
      "cve": "CVE-2020-26968",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26968"
    },
    {
      "cve": "CVE-2020-26969",
      "product_status": {
        "known_affected": [
          "2951",
          "T002207",
          "67646",
          "T000126",
          "T017724",
          "T013312",
          "T017725",
          "T017726",
          "T012167",
          "1727",
          "T004914"
        ]
      },
      "release_date": "2020-11-17T23:00:00.000+00:00",
      "title": "CVE-2020-26969"
    }
  ]
}

CVE-2020-15999 (GCVE-0-2020-15999)

Vulnerability from cvelistv5 – Published: 2020-11-03 00:00 – Updated: 2025-10-21 23:35

Summary

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

SSVC

Exploitation: active Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

Heap buffer overflow
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

Chrome

References

12 references

URL	Tags
https://crbug.com/1139963
https://chromereleases.googleblog.com/2020/10/sta…
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://security.gentoo.org/glsa/202011-12	vendor-advisory
http://seclists.org/fulldisclosure/2020/Nov/33	mailing-list
https://security.gentoo.org/glsa/202012-04	vendor-advisory
https://www.debian.org/security/2021/dsa-4824	vendor-advisory
https://googleprojectzero.blogspot.com/p/rca-cve-…
https://security.gentoo.org/glsa/202401-19	vendor-advisory
https://security.netapp.com/advisory/ntap-2024081…
https://www.cisa.gov/known-exploited-vulnerabilit…	government-resource

Impacted products

1 product

Vendor	Product	Version
Google	Chrome	Affected: unspecified , < 86.0.4240.111 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-12T22:02:48.152Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://crbug.com/1139963"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html"
          },
          {
            "name": "openSUSE-SU-2020:1829",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html"
          },
          {
            "name": "FEDORA-2020-6b35849edd",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J3QVIGAAJ4D62YEJAJJWMCCBCOQ6TVL7/"
          },
          {
            "name": "GLSA-202011-12",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202011-12"
          },
          {
            "name": "20201118 TCMalloc viewer/dumper - TCMalloc Inspector Tool",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2020/Nov/33"
          },
          {
            "name": "GLSA-202012-04",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202012-04"
          },
          {
            "name": "DSA-4824",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4824"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://googleprojectzero.blogspot.com/p/rca-cve-2020-15999.html"
          },
          {
            "name": "GLSA-202401-19",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202401-19"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20240812-0001/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2020-15999",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-04T14:58:48.995301Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-11-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-15999"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:35:33.599Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-15999"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2021-11-03T00:00:00.000Z",
            "value": "CVE-2020-15999 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Chrome",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "86.0.4240.111",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Heap buffer overflow",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-15T14:06:22.266Z",
        "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
        "shortName": "Chrome"
      },
      "references": [
        {
          "url": "https://crbug.com/1139963"
        },
        {
          "url": "https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html"
        },
        {
          "name": "openSUSE-SU-2020:1829",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html"
        },
        {
          "name": "FEDORA-2020-6b35849edd",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J3QVIGAAJ4D62YEJAJJWMCCBCOQ6TVL7/"
        },
        {
          "name": "GLSA-202011-12",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202011-12"
        },
        {
          "name": "20201118 TCMalloc viewer/dumper - TCMalloc Inspector Tool",
          "tags": [
            "mailing-list"
          ],
          "url": "http://seclists.org/fulldisclosure/2020/Nov/33"
        },
        {
          "name": "GLSA-202012-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202012-04"
        },
        {
          "name": "DSA-4824",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4824"
        },
        {
          "url": "https://googleprojectzero.blogspot.com/p/rca-cve-2020-15999.html"
        },
        {
          "name": "GLSA-202401-19",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202401-19"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
    "assignerShortName": "Chrome",
    "cveId": "CVE-2020-15999",
    "datePublished": "2020-11-03T00:00:00.000Z",
    "dateReserved": "2020-07-27T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:35:33.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-16012 (GCVE-0-2020-16012)

Vulnerability from cvelistv5 – Published: 2021-01-08 17:48 – Updated: 2024-08-04 13:30

Summary

Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Severity

No CVSS data available.

CWE

Side-channel information leakage

Assigner

Chrome

References

2 references

URL	Tags
https://chromereleases.googleblog.com/2020/11/sta…	x_refsource_MISC
https://crbug.com/1088224	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Google	Chrome	Affected: unspecified , < 87.0.4280.66 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:30:23.546Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://crbug.com/1088224"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Chrome",
          "vendor": "Google",
          "versions": [
            {
              "lessThan": "87.0.4280.66",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Side-channel information leakage",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-01-08T17:48:32.000Z",
        "orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
        "shortName": "Chrome"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://crbug.com/1088224"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "chrome-cve-admin@google.com",
          "ID": "CVE-2020-16012",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Chrome",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "87.0.4280.66"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Google"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Side-channel information leakage"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html",
              "refsource": "MISC",
              "url": "https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html"
            },
            {
              "name": "https://crbug.com/1088224",
              "refsource": "MISC",
              "url": "https://crbug.com/1088224"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
    "assignerShortName": "Chrome",
    "cveId": "CVE-2020-16012",
    "datePublished": "2021-01-08T17:48:32.000Z",
    "dateReserved": "2020-07-27T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:30:23.546Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26951 (GCVE-0-2020-26951)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:19 – Updated: 2024-08-04 16:03

Summary

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Severity

No CVSS data available.

CWE

Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code

Assigner

mozilla

References

4 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1667113	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

3 products

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83
Mozilla	Firefox ESR	Affected: < 78.5
Mozilla	Thunderbird	Affected: < 78.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:22.995Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667113"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A parsing and event loading mismatch in Firefox\u0027s SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:19:43.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667113"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26951",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox ESR",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A parsing and event loading mismatch in Firefox\u0027s SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667113",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667113"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-52/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-51/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26951",
    "datePublished": "2020-12-09T00:19:43.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:22.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26952 (GCVE-0-2020-26952)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:20 – Updated: 2024-08-04 16:03

Summary

Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. This vulnerability affects Firefox < 83.

Severity

No CVSS data available.

CWE

Out of memory handling of JITed, inlined functions could lead to a memory corruption

Assigner

mozilla

References

2 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1667685	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:22.990Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667685"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. This vulnerability affects Firefox \u003c 83."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Out of memory handling of JITed, inlined functions could lead to a memory corruption",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:20:05.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667685"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26952",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. This vulnerability affects Firefox \u003c 83."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Out of memory handling of JITed, inlined functions could lead to a memory corruption"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667685",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667685"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26952",
    "datePublished": "2020-12-09T00:20:05.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:22.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26953 (GCVE-0-2020-26953)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:20 – Updated: 2024-08-04 16:03

Summary

It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Severity

No CVSS data available.

CWE

Fullscreen could be enabled without displaying the security UI

Assigner

mozilla

References

4 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1656741	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

3 products

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83
Mozilla	Firefox ESR	Affected: < 78.5
Mozilla	Thunderbird	Affected: < 78.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:23.059Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1656741"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Fullscreen could be enabled without displaying the security UI",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:20:35.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1656741"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26953",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox ESR",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Fullscreen could be enabled without displaying the security UI"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1656741",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1656741"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-52/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-51/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26953",
    "datePublished": "2020-12-09T00:20:35.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:23.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26954 (GCVE-0-2020-26954)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:20 – Updated: 2024-08-04 16:03

Summary

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83.

Severity

No CVSS data available.

CWE

Local spoofing of web manifests for arbitrary pages in Firefox for Android

Assigner

mozilla

References

2 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1657026	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:23.129Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1657026"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 83."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Local spoofing of web manifests for arbitrary pages in Firefox for Android",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:20:56.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1657026"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26954",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 83."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Local spoofing of web manifests for arbitrary pages in Firefox for Android"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1657026",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1657026"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26954",
    "datePublished": "2020-12-09T00:20:56.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:23.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26955 (GCVE-0-2020-26955)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:21 – Updated: 2024-08-04 16:03

Summary

When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83.

Severity

No CVSS data available.

CWE

Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android

Assigner

mozilla

References

2 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1663261	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:23.169Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1663261"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 83."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:21:13.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1663261"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26955",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When a user downloaded a file in Firefox for Android, if a cookie is set, it would have been re-sent during a subsequent file download operation on the same domain, regardless of whether the original and subsequent request were in private and non-private browsing modes. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 83."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cookies set during file downloads are shared between normal and Private Browsing Mode in Firefox for Android"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1663261",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1663261"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26955",
    "datePublished": "2020-12-09T00:21:13.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:23.169Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26956 (GCVE-0-2020-26956)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:21 – Updated: 2024-08-04 16:03

Summary

In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Severity

No CVSS data available.

CWE

XSS through paste (manual and clipboard API)

Assigner

mozilla

References

4 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1666300	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

3 products

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83
Mozilla	Firefox ESR	Affected: < 78.5
Mozilla	Thunderbird	Affected: < 78.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:23.066Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666300"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "XSS through paste (manual and clipboard API)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:21:39.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666300"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26956",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox ESR",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "XSS through paste (manual and clipboard API)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666300",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1666300"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-52/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-51/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26956",
    "datePublished": "2020-12-09T00:21:39.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:23.066Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26957 (GCVE-0-2020-26957)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:21 – Updated: 2024-08-04 16:03

Summary

OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83.

Severity

No CVSS data available.

CWE

OneCRL was not working in Firefox for Android

Assigner

mozilla

References

2 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1667179	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:22.861Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667179"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 83."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "OneCRL was not working in Firefox for Android",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:21:55.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667179"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26957",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "OneCRL was non-functional in the new Firefox for Android due to a missing service initialization. This could result in a failure to enforce some certificate revocations. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox \u003c 83."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "OneCRL was not working in Firefox for Android"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667179",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1667179"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26957",
    "datePublished": "2020-12-09T00:21:55.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:22.861Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-26958 (GCVE-0-2020-26958)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:22 – Updated: 2024-08-04 16:03

Summary

Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Severity

No CVSS data available.

CWE

Requests intercepted through ServiceWorkers lacked MIME type restrictions

Assigner

mozilla

References

4 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=1669355	x_refsource_MISC
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM
https://www.mozilla.org/security/advisories/mfsa2…	x_refsource_CONFIRM

Impacted products

3 products

Vendor	Product	Version
Mozilla	Firefox	Affected: < 83
Mozilla	Firefox ESR	Affected: < 78.5
Mozilla	Thunderbird	Affected: < 78.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:23.148Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1669355"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        },
        {
          "product": "Firefox ESR",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 78.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Requests intercepted through ServiceWorkers lacked MIME type restrictions",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:22:19.000Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1669355"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26958",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Firefox ESR",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Thunderbird",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 78.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox \u003c 83, Firefox ESR \u003c 78.5, and Thunderbird \u003c 78.5."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Requests intercepted through ServiceWorkers lacked MIME type restrictions"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1669355",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1669355"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-52/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-52/"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-51/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-51/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26958",
    "datePublished": "2020-12-09T00:22:19.000Z",
    "dateReserved": "2020-10-12T00:00:00.000Z",
    "dateUpdated": "2024-08-04T16:03:23.148Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0337

CVE-2020-15999 (GCVE-0-2020-15999)

CVE-2020-16012 (GCVE-0-2020-16012)

CVE-2020-26951 (GCVE-0-2020-26951)

CVE-2020-26952 (GCVE-0-2020-26952)

CVE-2020-26953 (GCVE-0-2020-26953)

CVE-2020-26954 (GCVE-0-2020-26954)

CVE-2020-26955 (GCVE-0-2020-26955)

CVE-2020-26956 (GCVE-0-2020-26956)

CVE-2020-26957 (GCVE-0-2020-26957)

CVE-2020-26958 (GCVE-0-2020-26958)

Tags

Sightings

Nomenclature