CVE-2020-15648
published 2020-08-10CVE-2020-15648: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability…
PriorityP426medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EPSS
1.14%
62.8th percentile
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 78.0.2-1 (sid) | firefox 78.0.2-1 (sid) |
| mozilla | firefox | < 78.0.2 | 78.0.2 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 79.0+build1-0ubuntu0.16.04.2 | 79.0+build1-0ubuntu0.16.04.2 |
| mozilla | firefox | >= 0 < 79.0+build1-0ubuntu0.18.04.1 | 79.0+build1-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 79.0+build1-0ubuntu0.20.04.1 | 79.0+build1-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 78.0.2 | 78.0.2 |
| mozilla | thunderbird | < 78.0 | 78.0 |
| mozilla | thunderbird | >= 0 < 1:78.8.1+build1-0ubuntu0.18.04.1 | 1:78.8.1+build1-0ubuntu0.18.04.1 |
| mozilla | thunderbird | >= 0 < 1:78.7.1+build1-0ubuntu0.20.04.1 | 1:78.7.1+build1-0ubuntu0.20.04.1 |
| mozilla | thunderbird | >= unspecified < 78 | 78 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Mozilla: X-Frame-Options bypass using object or embed tags
vendor_redhat·2020-07-08·CVSS 6.5
CVE-2020-15648 [MEDIUM] CWE-451 Mozilla: X-Frame-Options bypass using object or embed tags
Mozilla: X-Frame-Options bypass using object or embed tags
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
Package: firefox (Red Hat Enterprise Linux 5) - Out of support scope
Package: firefox (Red Hat Enterprise Linux 6) - Out of support scope
Debian
CVE-2020-15648: firefox - Using object or embed tags, it was possible to frame other websites, even if the...
vendor_debian·2020·CVSS 6.5
CVE-2020-15648 [MEDIUM] CVE-2020-15648: firefox - Using object or embed tags, it was possible to frame other websites, even if the...
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
Scope: local
sid: resolved (fixed in 78.0.2-1)
Mozilla
Mozilla Foundation Security Advisory 2020-28: CVE-2020-15648
vendor_mozilla·CVSS 6.5
CVE-2020-15648 [MEDIUM] Mozilla Foundation Security Advisory 2020-28: CVE-2020-15648
Mozilla Foundation Security Advisory 2020-28
CVE: CVE-2020-15648
Product: Firefox
Impact: moderate
Fixed in: Firefox 78.0.2
Mozilla
Mozilla Foundation Security Advisory 2020-29: CVE-2020-15648
vendor_mozilla·CVSS 6.5
CVE-2020-15648 [MEDIUM] Mozilla Foundation Security Advisory 2020-29: CVE-2020-15648
Mozilla Foundation Security Advisory 2020-29
CVE: CVE-2020-15648
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 78
GHSA
GHSA-jrmg-2w74-rwc9: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header
ghsa_unreviewed·2022-05-24
CVE-2020-15648 [MEDIUM] GHSA-jrmg-2w74-rwc9: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
OSV
CVE-2020-15648: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header
osv·2020-08-10·CVSS 6.5
CVE-2020-15648 [MEDIUM] CVE-2020-15648: Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header. This vulnerability affects Thunderbird < 78 and Firefox < 78.0.2.
No detection rules found.
No public exploits indexed.
https://bugzilla.mozilla.org/show_bug.cgi?id=1644076https://www.mozilla.org/security/advisories/mfsa2020-28/https://www.mozilla.org/security/advisories/mfsa2020-29/https://bugzilla.mozilla.org/show_bug.cgi?id=1644076https://www.mozilla.org/security/advisories/mfsa2020-28/https://www.mozilla.org/security/advisories/mfsa2020-29/
2020-08-10
Published