CVE-2020-12412Open Redirect in Mozilla Firefox

CWE-601Open Redirect7 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.3%
top 48.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedJul 9
Latest updateMay 24

Description

By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocked port number such as '1', and without a lock icon) while controlling the page contents. This vulnerability affects Firefox < 70.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

debiandebian/firefox< firefox 70.0-1 (sid)
CVEListV5mozilla/firefoxunspecified70
NVDmozilla/firefox< 70.0
Ubuntumozilla/firefox< 70.0+build2-0ubuntu0.16.04.1+2

🔴Vulnerability Details

2
GHSA
GHSA-x2m9-q3vv-hr85: By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocke2022-05-24
OSV
CVE-2020-12412: By navigating a tab using the history API, an attacker could cause the address bar to display the incorrect domain (with the https:// scheme, a blocke2020-07-09

📋Vendor Advisories

2
Red Hat
firefox: address bar spoof using history navigation and blocked ports2020-07-09
Debian
CVE-2020-12412: firefox - By navigating a tab using the history API, an attacker could cause the address b...2020

💬Community

2
Bugzilla
CVE-2020-12412 firefox: address bar spoof using history navigation and blocked ports2020-07-10
Bugzilla
Address bar spoof using history navigation and blocked ports2019-02-17