Risk | High |
Patch available | YES |
Number of vulnerabilities | 11 |
CVE-ID | CVE-2020-12387 CVE-2020-12388 CVE-2020-12389 CVE-2020-6831 CVE-2020-12390 CVE-2020-12391 CVE-2020-12392 CVE-2020-12393 CVE-2020-12394 CVE-2020-12395 CVE-2020-12396 |
CWE-ID | CWE-416 CWE-264 CWE-119 CWE-20 CWE-451 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #2 is available. |
Vulnerable software Subscribe |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers |
Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
EUVDB-ID: #VU27529
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12387
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error caused by the race condition when running shutdown code for Web Worker. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0.1 - 75.0
Firefox ESR: 60.0 - 68.7.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
http://bugzilla.mozilla.org/show_bug.cgi?id=1545345
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27530
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-12388
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass sandbox restrictions.
The vulnerability exists due the Firefox content processes did not sufficiently lockdown access control due to improper protection of access tokens. A remote attacker can bypass implemented security restrictions and execute arbitrary code on the target system.
Note, this vulnerability affects Windows versions only.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
Firefox ESR: 60.0 - 68.7.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
http://bugzilla.mozilla.org/show_bug.cgi?id=1618911
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU27531
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12389
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due the Firefox content processes did not sufficiently lockdown access control for separate process types. A remote attacker can bypass implemented security restrictions and execute arbitrary code on the target system.
Note, this vulnerability affects Windows versions only. MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
Firefox ESR: 60.0 - 68.7.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
http://bugzilla.mozilla.org/show_bug.cgi?id=1554110
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27532
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6831
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing SCTP chunks in WebRTC. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
Firefox ESR: 60.0 - 68.7.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
http://bugzilla.mozilla.org/show_bug.cgi?id=1632241
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27533
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12390
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to incorrect origin serialization of nsIPrincipal.origin for IPv6 addresses. A remote attacker can bypass implemented security restrictions with a specially crafted URL.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://bugzilla.mozilla.org/show_bug.cgi?id=1141959
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27534
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12391
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to documents formed using data:
URLs in an object
element failed to inherit the CSP of the creating context. A remote attacker can execute arbitrary scripts that should have been blocked, albeit with a unique opaque origin.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://bugzilla.mozilla.org/show_bug.cgi?id=1457100
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27535
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12392
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the "Copy as cURL" feature of Devtools network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
Firefox ESR: 60.0 - 68.7.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
http://bugzilla.mozilla.org/show_bug.cgi?id=1614468
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27536
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12393
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the "Copy as cURL" feature of Devtools network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution.
Note, this vulnerability affects Windows installations only.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
Firefox ESR: 60.0 - 68.7.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
http://bugzilla.mozilla.org/show_bug.cgi?id=1615471
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27537
Risk: Low
CVSSv3.1: 2.8 [CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12394
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform spoofing attack.
The vulnerability exists due to a logic flaw in the location bar implementation. A local user can spoof the current location by selecting a different origin and removing focus from the input element.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 75.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://bugzilla.mozilla.org/show_bug.cgi?id=1628288
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27538
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12395
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 75.0
Firefox ESR: 60.0 - 68.7.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
http://bugzilla.mozilla.org/buglist.cgi?bug_id=1595886%2C1611482%2C1614704%2C1624098%2C1625749%2C1626382%2C1628076%2C1631508
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU27539
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12396
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 75.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-16/
http://bugzilla.mozilla.org/buglist.cgi?bug_id=1339601%2C1611938%2C1620488%2C1622291%2C1627644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.