CVE-2020-26979 — Open Redirect in Mozilla Firefox

CWE-601 — Open Redirect7 documents6 sources

Severity

6.1MEDIUMNVD

OSV6.5

EPSS

0.3%

top 51.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJan 7

Latest updateMay 24

Description

When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages5 packages

▶debiandebian/firefox< firefox 84.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 84

▶NVDmozilla/firefox< 84.0

▶Ubuntumozilla/firefox< 84.0+build3-0ubuntu0.16.04.1+2

▶mozillamozilla/firefox

Patches

Patch: bugzilla.mozilla.org ↗Patch: bugzilla.mozilla.org ↗

🔴Vulnerability Details

GHSA

GHSA-3c9h-j75v-3mr5: When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redi↗2022-05-24

▶

OSV

CVE-2020-26979: When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redi↗2020-12-15

▶

OSV

firefox vulnerabilities↗2020-12-15

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2020-12-15

▶

Debian

CVE-2020-26979: firefox - When a user typed a URL in the address bar or the search bar and quickly hit the...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-54: CVE-2020-26979↗

▶