CVE-2020-12394
published 2020-05-26CVE-2020-12394: A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing…
PriorityP48low3.3CVSS 3.1
AVLACLPRLUINSUCNILAN
EPSS
0.27%
19.3th percentile
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 76.0-1 (sid) | firefox 76.0-1 (sid) |
| mozilla | firefox | < 76.0 | 76.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 76.0+build2-0ubuntu0.16.04.1 | 76.0+build2-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 76.0.1+build1-0ubuntu0.16.04.1 | 76.0.1+build1-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 76.0+build2-0ubuntu0.18.04.1 | 76.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 76.0.1+build1-0ubuntu0.18.04.1 | 76.0.1+build1-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 76.0+build2-0ubuntu0.20.04.1 | 76.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= 0 < 76.0.1+build1-0ubuntu0.20.04.1 | 76.0.1+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 76 | 76 |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:N/I:P/A:N
osv8.1HIGH
vendor_ubuntu8.1HIGH
vendor_debian3.3LOW
vendor_redhat3.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vp98-fg4h-f354: A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and
ghsa_unreviewed·2022-05-24
CVE-2020-12394 [LOW] CWE-20 GHSA-vp98-fg4h-f354: A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
OSV
firefox regression
osv·2020-05-12·CVSS 8.1
[HIGH] firefox regression
firefox regression
USN-4353-1 fixed vulnerabilities in Firefox. The update caused a
regression that impaired the functionality of some addons. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass security
restrictions, spoof the URL bar, or execute arbitrary code.
(CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391,
CVE-2020-12394, CVE-2020-12395, CVE-2020-12396)
It was discovered that the Devtools’ ‘Copy as cURL’ feature did not
properly HTTP POST data of a request. If a user were tricked in to using
the ‘Copy as cURL’ feature to copy a
OSV
CVE-2020-12394: A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and
osv·2020-05-07·CVSS 3.3
CVE-2020-12394 [LOW] CVE-2020-12394: A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
OSV
firefox vulnerabilities
osv·2020-05-07·CVSS 8.1
CVE-2020-6831 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass security
restrictions, spoof the URL bar, or execute arbitrary code.
(CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391,
CVE-2020-12394, CVE-2020-12395, CVE-2020-12396)
It was discovered that the Devtools’ ‘Copy as cURL’ feature did not
properly escape the HTTP POST data of a request. If a user were tricked in to
using the ‘Copy as cURL’ feature to copy and paste a command with
specially crafted data in to a terminal, an attacker could potentially
exploit this to obtain sensitive information from local files.
(CVE-2020-12392)
Ubuntu
Firefox regression
vendor_ubuntu·2020-05-12·CVSS 8.1
[HIGH] Firefox regression
Title: Firefox regression
Summary: USN-4353-1 caused a regression in Firefox.
USN-4353-1 fixed vulnerabilities in Firefox. The update caused a
regression that impaired the functionality of some addons. This update
fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass security
restrictions, spoof the URL bar, or execute arbitrary code.
(CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391,
CVE-2020-12394, CVE-2020-12395, CVE-2020-12396)
It was discovered that the Devtools’ ‘Copy as cURL’ feature did not
properly HTTP POST data of a request. If a user w
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-05-07·CVSS 8.1
CVE-2020-12387 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, bypass security
restrictions, spoof the URL bar, or execute arbitrary code.
(CVE-2020-6831, CVE-2020-12387, CVE-2020-12390, CVE-2020-12391,
CVE-2020-12394, CVE-2020-12395, CVE-2020-12396)
It was discovered that the Devtools’ ‘Copy as cURL’ feature did not
properly escape the HTTP POST data of a request. If a user were tricked in to
using the ‘Copy as cURL’ feature to copy and paste a command with
specially crafted data in to a terminal, an attacker could potentiall
Red Hat
Mozilla: URL spoofing in location bar when unfocussed
vendor_redhat·2020-05-05·CVSS 3.3
CVE-2020-12394 [LOW] CWE-451 Mozilla: URL spoofing in location bar when unfocussed
Mozilla: URL spoofing in location bar when unfocussed
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
The Mozilla Foundation Security Advisory describes this flaw as:
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element.
Package: firefox (Red Hat Enterprise Linux 5) - Out of support scope
Package: firefox (Red Hat Enterprise Linux 6) - Out of support scope
Package: firefox (Red Hat Enterprise Linux 7) - Will not fix
Package: firefox (Red Hat Enterprise Linux 8) - Will not
Debian
CVE-2020-12394: firefox - A logic flaw in our location bar implementation could have allowed a local attac...
vendor_debian·2020·CVSS 3.3
CVE-2020-12394 [LOW] CVE-2020-12394: firefox - A logic flaw in our location bar implementation could have allowed a local attac...
A logic flaw in our location bar implementation could have allowed a local attacker to spoof the current location by selecting a different origin and removing focus from the input element. This vulnerability affects Firefox < 76.
Scope: local
sid: resolved (fixed in 76.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-16: CVE-2020-12394
vendor_mozilla·CVSS 3.3
CVE-2020-12394 [LOW] Mozilla Foundation Security Advisory 2020-16: CVE-2020-12394
Mozilla Foundation Security Advisory 2020-16
CVE: CVE-2020-12394
Product: Firefox
Impact: high
Fixed in: Firefox 76
No detection rules found.
No public exploits indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1628288https://security.gentoo.org/glsa/202005-04https://www.mozilla.org/security/advisories/mfsa2020-16/https://bugzilla.mozilla.org/show_bug.cgi?id=1628288https://security.gentoo.org/glsa/202005-04https://www.mozilla.org/security/advisories/mfsa2020-16/
2020-05-26
Published