CVE-2020-15680
published 2020-10-22CVE-2020-15680: If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.94%
56.5th percentile
If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 82.0-1 (sid) | firefox 82.0-1 (sid) |
| mozilla | firefox | < 82.0 | 82.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 82.0+build2-0ubuntu0.16.04.5 | 82.0+build2-0ubuntu0.16.04.5 |
| mozilla | firefox | >= 0 < 82.0+build2-0ubuntu0.18.04.1 | 82.0+build2-0ubuntu0.18.04.1 |
| mozilla | firefox | >= 0 < 82.0+build2-0ubuntu0.20.04.1 | 82.0+build2-0ubuntu0.20.04.1 |
| mozilla | firefox | >= unspecified < 82 | 82 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-10-26
CVE-2020-15680 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
USN-4599-1 fixed vulnerabilities in Firefox. This update provides the
corresponding updates for Ubuntu 16.04 LTS.
Original advisory details:
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the prompt
for opening an external application, obtain sensitive information, or execute
arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-10-23
CVE-2020-15680 Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, spoof the prompt
for opening an external application, obtain sensitive information, or execute
arbitrary code.
Instructions: After a standard system update you need to restart Firefox to make
all the necessary changes.
Debian
CVE-2020-15680: firefox - If a valid external protocol handler was referenced in an image tag, the resulti...
vendor_debian·2020·CVSS 5.3
CVE-2020-15680 [MEDIUM] CVE-2020-15680: firefox - If a valid external protocol handler was referenced in an image tag, the resulti...
If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82.
Scope: local
sid: resolved (fixed in 82.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-45: CVE-2020-15680
vendor_mozilla·CVSS 5.3
CVE-2020-15680 [MEDIUM] Mozilla Foundation Security Advisory 2020-45: CVE-2020-15680
Mozilla Foundation Security Advisory 2020-45
CVE: CVE-2020-15680
Product: Firefox
Impact: high
Fixed in: Firefox 82
GHSA
GHSA-rcq3-vgfc-jm9v: If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size o
ghsa_unreviewed·2022-05-24
CVE-2020-15680 [MEDIUM] GHSA-rcq3-vgfc-jm9v: If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size o
If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82.
OSV
CVE-2020-15680: If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size o
osv·2020-10-22·CVSS 5.3
CVE-2020-15680 [MEDIUM] CVE-2020-15680: If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size o
If a valid external protocol handler was referenced in an image tag, the resulting broken image size could be distinguished from a broken image size of a non-existent protocol handler. This allowed an attacker to successfully probe whether an external protocol handler was registered. This vulnerability affects Firefox < 82.
No detection rules found.
No public exploits indexed.
Fortinet
Leaking Browser URL/Protocol Handlers | FortiGuard Labs
blogs_fortinet·2020-12-03·CVSS 5.3
CVE-2020-15680 [MEDIUM] Leaking Browser URL/Protocol Handlers | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Leaking Browser URL/Protocol Handlers
By Rotem Kerner | December 03, 2020
FortiGuard Labs Threat Research Report
Affected platforms: Windows, Linux
Impacted parties: Chrome, Firefox and Edge
Impact: Leaking sensitive data
Severity level: Medium
Assigned CVEs: CVE-2020-15680
An important step in any targeted attack is reconnaissance. The more information an attacker can obtain on the victim the greater the chances for a successful exploitation and infiltration. Recently, we uncovered two information disclosure vulnerabilities affecting three of the major web browsers which can be leveraged to leak out a vast range of installed applications, including the presence of security products, allowing a threat actor to gain critical insights on the target.
In t
Bugzilla
Leaking Browser URL/Protocol Handlers by img onerror loading time
bugzilla·2024-03-05·CVSS 5.3
CVE-2020-15680 [MEDIUM] Leaking Browser URL/Protocol Handlers by img onerror loading time
Leaking Browser URL/Protocol Handlers by img onerror loading time
Created attachment 9389415
poc_img.html
Hello, I'm Satoki, a CTF player and security engineer. Inspired by CVE-2020-15680, I've discovered a new leak involving external protocol handlers. The mechanism is simple: it measures the time from when the loading of an "img" tag starts to when the "onerror" event is triggered. I've found that if a handler exists, there's a delay in response.
```
Threshold: 455ms
amazon:// : 437ms
ftp:// : 853ms
geo:// : 400ms
instagram:// : 392ms
mailto:// : 2527ms
ms-edge:// : 401ms
ms-store:// : 441ms
onenote:// : 952ms
skype:// : 395ms
slack:// : 901ms
sms:// : 470ms
spotify:// : 886ms
steam:// : 834ms
tel:// : 1619ms
twitch:// : 474ms
twitter:// : 455ms
whatsapp:// : 406ms
zoommtg:// : 873ms
`
Bugzilla
Leaking Browser URL/Protocol Handlers by CSP report-uri
bugzilla·2024-02-27·CVSS 5.3
CVE-2020-15680 [MEDIUM] Leaking Browser URL/Protocol Handlers by CSP report-uri
Leaking Browser URL/Protocol Handlers by CSP report-uri
Created attachment 9387890
poc.py
Hello,
I am Satoki, a security researcher & CTF player.
I came across CVE-2020-15680 while exploring new XS-Leaks techniques for CTF.
https://www.fortinet.com/blog/threat-research/leaking-browser-url-protocol-handlers
Subsequently, I reported a leak technique using window.open as Bug 1881037 on Bugzilla.
The purpose of this report is the same as the others, but the underlying cause and technique are entirely different.
Hence, I believed it appropriate to make a new report.
No user interaction is required.
The goal is to leak Browser URL/Protocol Handlers to an attacker's site.
CVE-2020-15680 utilized the different CSS sizes of img tags.
Bug 1881037 leaked information from the error response of win
Bugzilla
Leaking Browser URL/Protocol Handlers through window.open() behavior
bugzilla·2024-02-20·CVSS 5.3
CVE-2020-15680 [MEDIUM] Leaking Browser URL/Protocol Handlers through window.open() behavior
Leaking Browser URL/Protocol Handlers through window.open() behavior
Created attachment 9381005
PoC.html
I am aware that a highly skilled hacker previously identified a vulnerability related to leaking URL/Protocol Handlers through an img tag in CVE-2020-15680. I consulted the following article for my research:
https://www.fortinet.com/blog/threat-research/leaking-browser-url-protocol-handlers
The technique discussed in this article involves using the size of an img tag as a means to leak information. However, I have discovered a simpler method of leaking such information in the latest version of Windows Desktop Firefox (122.0.1 64bit).
I have found a method that can determine whether a URI scheme is valid based on the behavior of accessing the return value of window.open (whether it i
2020-10-22
Published