CVE-2020-12391

Summary

Documents formed using data: URLs in an OBJECT element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin. This vulnerability affects Firefox < 76.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefoxunspecified < 76affected

Weaknesses

  • Content-Security-Policy bypass using object elements

ADP Enrichment

CVE Program Container

Additional References

References