CVE-2020-15653Incorrect Default Permissions in Mozilla Firefox

CWE-276Incorrect Default Permissions12 documents9 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 48.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla FirefoxMozilla Firefox ESRMozilla Thunderbird+1 more
Timeline
PublishedAug 10
Latest updateMay 24

Description

An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links. This could have led to security issues for websites relying on sandbox configurations that allowed popups and hosted arbitrary content. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

CVEListV5mozilla/firefoxunspecified79
NVDmozilla/firefox< 79.0
CVEListV5mozilla/firefox_esrunspecified78.1
Ubuntumozilla/firefox< 79.0+build1-0ubuntu0.16.04.2+2

Also affects: Ubuntu Linux 16.04, 18.04, 20.04

🔴Vulnerability Details

4
GHSA
GHSA-vcgf-4q4f-3267: An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links2022-05-24
CVEList
CVE-2020-15653: An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links2020-08-10
OSV
CVE-2020-15653: An iframe sandbox element with the allow-popups flag could be bypassed when using noopener links2020-07-29
OSV
firefox vulnerabilities2020-07-29

📋Vendor Advisories

6
Ubuntu
Firefox vulnerabilities2020-07-29
Red Hat
Mozilla: Bypassing iframe sandbox when allowing popups2020-07-28
Debian
CVE-2020-15653: firefox - An iframe sandbox element with the allow-popups flag could be bypassed when usin...2020
Mozilla
Mozilla Foundation Security Advisory 2020-30: CVE-2020-15653
Mozilla
Mozilla Foundation Security Advisory 2020-32: CVE-2020-15653

💬Community

1
Bugzilla
CVE-2020-15653 Mozilla: Bypassing iframe sandbox when allowing popups2020-07-29
CVE-2020-15653 — Incorrect Default Permissions | cvebase