CVE-2020-15682 — Origin Validation Error in Mozilla Firefox

CWE-346 — Origin Validation Error7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 67.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedOct 22

Latest updateMay 24

Description

When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by changing external protocol prompts to be tab-modal while also ensuring they could not be incorrectly associated with a different origin. This vulnerability affects Firefox < 82.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶debiandebian/firefox< firefox 82.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 82

▶NVDmozilla/firefox< 82.0

▶Ubuntumozilla/firefox< 82.0+build2-0ubuntu0.16.04.5+2

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-hx45-gw2r-332x: When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in↗2022-05-24

▶

OSV

CVE-2020-15682: When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in↗2020-10-22

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2020-10-26

▶

Ubuntu

Firefox vulnerabilities↗2020-10-23

▶

Debian

CVE-2020-15682: firefox - When a link to an external protocol was clicked, a prompt was presented that all...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-45: CVE-2020-15682↗

▶