CVE-2020-15676 — Cross-site Scripting in Mozilla Firefox
Severity
6.1MEDIUMNVD
EPSS
1.3%
top 20.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 1
Latest updateMay 24
Description
Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages8 packages
Also affects: Debian Linux 10.0, 9.0
🔴Vulnerability Details
3GHSA▶
GHSA-m5jf-7x3g-f295: Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasti↗2022-05-24
OSV▶
CVE-2020-15676: Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasti↗2020-10-01
CVEList▶
CVE-2020-15676: Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasti↗2020-10-01
📋Vendor Advisories
6Red Hat
▶
Debian▶
CVE-2020-15676: firefox - Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer...↗2020
💬Community
1Bugzilla▶
CVE-2020-15676 Mozilla: XSS when pasting attacker-controlled data into a contenteditable element↗2020-09-22