CVE-2020-26951
N/A
N/A
Summary
A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mozilla | Firefox | < 83 | affected |
| Mozilla | Firefox ESR | < 78.5 | affected |
| Mozilla | Thunderbird | < 78.5 | affected |
Weaknesses
- Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code
ADP Enrichment
CVE Program Container
Additional References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1667113
- https://www.mozilla.org/security/advisories/mfsa2020-50/
- https://www.mozilla.org/security/advisories/mfsa2020-52/
- https://www.mozilla.org/security/advisories/mfsa2020-51/
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1667113
- https://www.mozilla.org/security/advisories/mfsa2020-50/
- https://www.mozilla.org/security/advisories/mfsa2020-52/
- https://www.mozilla.org/security/advisories/mfsa2020-51/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.