cbcvebase.
CVE-2020-15654
published 2020-08-10

CVE-2020-15654: When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are…

PriorityP277medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.24%
65.4th percentile
When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and warnings do not work. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.

Affected

17 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debianfirefox< firefox 79.0-1 (sid)firefox 79.0-1 (sid)
debianthunderbird< firefox 79.0-1 (sid)firefox 79.0-1 (sid)
mozillafirefox< 79.079.0
mozillafirefox
mozillafirefox>= 0 < 79.0+build1-0ubuntu0.16.04.279.0+build1-0ubuntu0.16.04.2
mozillafirefox>= 0 < 79.0+build1-0ubuntu0.18.04.179.0+build1-0ubuntu0.18.04.1
mozillafirefox>= 0 < 79.0+build1-0ubuntu0.20.04.179.0+build1-0ubuntu0.20.04.1
mozillafirefox>= unspecified < 7979
mozillafirefox_esr< 78.178.1
mozillafirefox_esr>= unspecified < 78.178.1
mozillathunderbird< 78.178.1
mozillathunderbird>= 0 < 1:78.8.1+build1-0ubuntu0.18.04.11:78.8.1+build1-0ubuntu0.18.04.1
mozillathunderbird>= 0 < 1:78.7.1+build1-0ubuntu0.20.04.11:78.7.1+build1-0ubuntu0.20.04.1
mozillathunderbird>= unspecified < 78.178.1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability involves a website using CSS custom cursor in an endless loop to overlay the browser UI, making dialogs/warnings non-interactive. Detect pages that specify CSS cursor properties combined with infinite loop JavaScript behavior.
  • ·Affected versions: Firefox < 79, Firefox ESR < 78.1, Thunderbird < 78.1. Ensure browser/client deployments are patched to at least these versions to remediate CVE-2020-15654.
  • ·Red Hat Enterprise Linux 7 and 8 Thunderbird packages are marked 'Will not fix', meaning patched Thunderbird may not be available via standard RHEL channels for those versions.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.5MEDIUM
vulncheck6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.