CVE-2020-6810 — Authentication Bypass by Spoofing in Mozilla Firefox

CWE-290 — Authentication Bypass by Spoofing9 documents8 sources

Severity

4.3MEDIUMNVD

OSV6.5

EPSS

0.3%

top 50.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedMar 25

Latest updateMay 24

Description

After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in fullscreen mode. Combined with spoofing the browser chrome, this could have led to confusing the user about the current origin of the page and credential theft or other attacks. This vulnerability affects Firefox < 74.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶debiandebian/firefox< firefox 74.0-1 (sid)

▶CVEListV5mozilla/firefoxunspecified — 74

▶NVDmozilla/firefox< 74.0

▶Ubuntumozilla/firefox< 74.0+build3-0ubuntu0.16.04.1+2

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-7j8v-jvv6-m8cg: After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in↗2022-05-24

▶

OSV

firefox vulnerabilities↗2020-03-11

▶

OSV

CVE-2020-6810: After a website had entered fullscreen mode, it could have used a previously opened popup to obscure the notification that indicates the browser is in↗2020-03-11

▶

📋Vendor Advisories

Ubuntu

Firefox vulnerabilities↗2020-03-11

▶

Red Hat

Mozilla: Focusing a popup while in fullscreen could have obscured the fullscreen notification↗2020-03-10

▶

Debian

CVE-2020-6810: firefox - After a website had entered fullscreen mode, it could have used a previously ope...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-08: CVE-2020-6810↗

▶

💬Community

Bugzilla

CVE-2020-6810 Mozilla: Focusing a popup while in fullscreen could have obscured the fullscreen notification↗2020-04-29

▶