CVE-2020-26951

Summary

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefox< 83affected
MozillaFirefox ESR< 78.5affected
MozillaThunderbird< 78.5affected

Weaknesses

  • Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code

ADP Enrichment

CVE Program Container

Additional References

References