CVE-2020-6825
published 2020-04-24CVE-2020-6825: Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these…
PriorityP340critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.91%
77.2th percentile
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 75.0-1 (sid) | firefox 75.0-1 (sid) |
| debian | firefox-esr | < firefox 75.0-1 (sid) | firefox 75.0-1 (sid) |
| debian | thunderbird | < firefox 75.0-1 (sid) | firefox 75.0-1 (sid) |
| mozilla | firefox | < 75.0 | 75.0 |
| mozilla | firefox | — | — |
| mozilla | firefox | >= 0 < 75.0+build3-0ubuntu0.16.04.1 | 75.0+build3-0ubuntu0.16.04.1 |
| mozilla | firefox | >= 0 < 75.0+build3-0ubuntu0.18.04.1 | 75.0+build3-0ubuntu0.18.04.1 |
| mozilla | firefox | >= unspecified < 75 | 75 |
| mozilla | firefox_esr | < 68.7.0 | 68.7.0 |
| mozilla | firefox_esr | >= unspecified < 68.7 | 68.7 |
| mozilla | thunderbird | < 68.7.0 | 68.7.0 |
| mozilla | thunderbird | >= 0 < 1:68.7.0-1 | 1:68.7.0-1 |
| mozilla | thunderbird | >= 0 < 1:68.7.0-1 | 1:68.7.0-1 |
| mozilla | thunderbird | >= 0 < 1:68.7.0-1 | 1:68.7.0-1 |
| mozilla | thunderbird | >= 0 < 1:68.7.0-1 | 1:68.7.0-1 |
| mozilla | thunderbird | >= 0 < 1:68.7.0+build1-0ubuntu0.16.04.2 | 1:68.7.0+build1-0ubuntu0.16.04.2 |
| mozilla | thunderbird | >= 0 < 1:68.7.0+build1-0ubuntu0.18.04.1 | 1:68.7.0+build1-0ubuntu0.18.04.1 |
| mozilla | thunderbird | >= unspecified < 68.7.0 | 68.7.0 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2020-04-21·CVSS 8.8
CVE-2019-11745 [HIGH] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, bypass
same-origin restrictions, conduct cross-site scripting (XSS) attacks, or
execute arbitrary code. (CVE-2019-11757, CVE-2019-11758, CVE-2019-11759,
CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763,
CVE-2019-11764, CVE-2019-17005, CVE-2019-17008, CVE-2019-17010,
CVE-2019-17011, CVE-2019-17012, CVE-2019-17016, CVE-2019-17017,
CVE-2019-17022, CVE-2019-17024, CVE-2019-17026, CVE-2019-20503,
CVE-2020-6798,
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2020-04-13·CVSS 6.5
CVE-2020-6792 [MEDIUM] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
It was discovered that Message ID calculation was based on uninitialized
data. An attacker could potentially exploit this to obtain sensitive
information. (CVE-2020-6792)
Mutiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2020-6793, CVE-2020-6795,
CVE-2020-6822)
It was discovered that if a user saved passwords before Thunderbird 60
and then later set a master password, an unencrypted copy of these
passwords would still be accessible. A local user could exploit this to
obtain sensitive info
Red Hat
Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
vendor_redhat·2020-04-08·CVSS 9.8
CVE-2020-6825 [CRITICAL] CWE-120 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
The Mozilla Foundation Security Advisory describes this flaw as:
Mozilla developers reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Package: firefox (Red H
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2020-04-07·CVSS 7.5
CVE-2020-6821 [HIGH] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822,
CVE-2020-6824, CVE-2020-6825, CVE-2020-6826)
It was discovered that extensions could obtain auth codes from OAuth login
flows in some circumstances. If a user were tricked in to installing a
specially crafted extension, an attacker could potentially exploit this to
obtain access to the user's account. (CVE-2020-6823)
Instructions: After a standard system update you need to rest
Debian
CVE-2020-6825: firefox - Mozilla developers and community members Tyson Smith and Christian Holler report...
vendor_debian·2020·CVSS 9.8
CVE-2020-6825 [CRITICAL] CVE-2020-6825: firefox - Mozilla developers and community members Tyson Smith and Christian Holler report...
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
Scope: local
sid: resolved (fixed in 75.0-1)
Mozilla
Mozilla Foundation Security Advisory 2020-12: CVE-2020-6825
vendor_mozilla·CVSS 9.8
CVE-2020-6825 [CRITICAL] Mozilla Foundation Security Advisory 2020-12: CVE-2020-6825
Mozilla Foundation Security Advisory 2020-12
CVE: CVE-2020-6825
Product: Firefox
Impact: high
Fixed in: Firefox 75
Mozilla
Mozilla Foundation Security Advisory 2020-13: CVE-2020-6825
vendor_mozilla·CVSS 9.8
CVE-2020-6825 [CRITICAL] Mozilla Foundation Security Advisory 2020-13: CVE-2020-6825
Mozilla Foundation Security Advisory 2020-13
CVE: CVE-2020-6825
Product: Firefox ESR
Impact: high
Fixed in: Firefox ESR 68.7
Mozilla
Mozilla Foundation Security Advisory 2020-14: CVE-2020-6825
vendor_mozilla·CVSS 9.8
CVE-2020-6825 [CRITICAL] Mozilla Foundation Security Advisory 2020-14: CVE-2020-6825
Mozilla Foundation Security Advisory 2020-14
CVE: CVE-2020-6825
Product: Thunderbird
Impact: high
Fixed in: Thunderbird 68.7
GHSA
GHSA-pj8r-w3xr-j4w5: Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68
ghsa_unreviewed·2022-05-24
CVE-2020-6825 [HIGH] CWE-119 GHSA-pj8r-w3xr-j4w5: Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
OSV
CVE-2020-6825: Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68
osv·2020-04-24·CVSS 9.8
CVE-2020-6825 [CRITICAL] CVE-2020-6825: Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68
Mozilla developers and community members Tyson Smith and Christian Holler reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 68.7.0, Firefox ESR < 68.7, and Firefox < 75.
OSV
thunderbird vulnerabilities
osv·2020-04-21·CVSS 8.8
CVE-2019-11757 [HIGH] thunderbird vulnerabilities
thunderbird vulnerabilities
Multiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit these to cause a denial of service,
obtain sensitive information, bypass security restrictions, bypass
same-origin restrictions, conduct cross-site scripting (XSS) attacks, or
execute arbitrary code. (CVE-2019-11757, CVE-2019-11758, CVE-2019-11759,
CVE-2019-11760, CVE-2019-11761, CVE-2019-11762, CVE-2019-11763,
CVE-2019-11764, CVE-2019-17005, CVE-2019-17008, CVE-2019-17010,
CVE-2019-17011, CVE-2019-17012, CVE-2019-17016, CVE-2019-17017,
CVE-2019-17022, CVE-2019-17024, CVE-2019-17026, CVE-2019-20503,
CVE-2020-6798, CVE-2020-6800, CVE-2020-6805, CVE-2020-6806, CVE-2020-6807,
CVE-2020
OSV
thunderbird vulnerabilities
osv·2020-04-13·CVSS 6.5
CVE-2020-6792 [MEDIUM] thunderbird vulnerabilities
thunderbird vulnerabilities
It was discovered that Message ID calculation was based on uninitialized
data. An attacker could potentially exploit this to obtain sensitive
information. (CVE-2020-6792)
Mutiple security issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2020-6793, CVE-2020-6795,
CVE-2020-6822)
It was discovered that if a user saved passwords before Thunderbird 60
and then later set a master password, an unencrypted copy of these
passwords would still be accessible. A local user could exploit this to
obtain sensitive information. (CVE-2020-6794)
Multiple security issues were discovered i
OSV
firefox vulnerabilities
osv·2020-04-07·CVSS 7.5
CVE-2020-6821 [HIGH] firefox vulnerabilities
firefox vulnerabilities
Multiple security issues were discovered in Firefox. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service, obtain sensitive
information, or execute arbitrary code. (CVE-2020-6821, CVE-2020-6822,
CVE-2020-6824, CVE-2020-6825, CVE-2020-6826)
It was discovered that extensions could obtain auth codes from OAuth login
flows in some circumstances. If a user were tricked in to installing a
specially crafted extension, an attacker could potentially exploit this to
obtain access to the user's account. (CVE-2020-6823)
No detection rules found.
No public exploits indexed.
Checkpoint
13th April – Threat Intelligence Bulletin
blogs_checkpoint·2020-04-13
CVE-2020-3952 13th April – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th April – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 13th April 2020, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Hammersmith Medicines Research LTD (HMR), a research firm on standby to perform live trials of coronavirus vaccines, has suffered a data breach by the Maze ransomware . HMR has decided not to pay the ransom, only to have stolen data published a week later on the attackers “News” site. The attack compromised volunteers’
Bugzilla
CVE-2020-6825 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
bugzilla·2020-04-07·CVSS 9.8
CVE-2020-6825 [CRITICAL] CVE-2020-6825 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
CVE-2020-6825 Mozilla: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
Mozilla developers reported memory safety bugs present in Firefox 74 and Firefox ESR 68.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Discussion:
Acknowledgments:
Name: the Mozilla project
Upstream: Tyson Smith and Christian Holler
---
External References:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/#CVE-2020-6825
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions
Via RHSA-2020:1404 https://access.redhat.com/errata/RHSA-2020:1404
---
This issue has been addressed in the following products:
Re
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1572541%2C1620193%2C1620203https://usn.ubuntu.com/4335-1/https://www.mozilla.org/security/advisories/mfsa2020-12/https://www.mozilla.org/security/advisories/mfsa2020-13/https://www.mozilla.org/security/advisories/mfsa2020-14/https://bugzilla.mozilla.org/buglist.cgi?bug_id=1572541%2C1620193%2C1620203https://usn.ubuntu.com/4335-1/https://www.mozilla.org/security/advisories/mfsa2020-12/https://www.mozilla.org/security/advisories/mfsa2020-13/https://www.mozilla.org/security/advisories/mfsa2020-14/
2020-04-24
Published