CVE-2020-15648 — UI Misrepresentation / Clickjacking in Mozilla Firefox

CWE-1021 — UI Misrepresentation / Clickjacking CWE-451 — User Interface (UI) Misrepresentation of Critical Information8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird Debian Firefox

Timeline

PublishedAug 10

Latest updateMay 24

Description

Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶debiandebian/firefox< firefox 78.0.2-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 78.0.2

▶NVDmozilla/firefox< 78.0.2

▶CVEListV5mozilla/thunderbirdunspecified — 78

▶NVDmozilla/thunderbird< 78.0

🔴Vulnerability Details

GHSA

GHSA-jrmg-2w74-rwc9: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header↗2022-05-24

▶

OSV

CVE-2020-15648: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header↗2020-08-10

▶

📋Vendor Advisories

Red Hat

Mozilla: X-Frame-Options bypass using object or embed tags↗2020-07-08

▶

Debian

CVE-2020-15648: firefox - Using object or embed tags, it was possible to frame other websites, even if the...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-28: CVE-2020-15648↗

▶

Mozilla

Mozilla Foundation Security Advisory 2020-29: CVE-2020-15648↗

▶

💬Community

Bugzilla

CVE-2020-15648 Mozilla: X-Frame-Options bypass using object or embed tags↗2020-08-26

▶