Risk | High |
Patch available | YES |
Number of vulnerabilities | 10 |
CVE-ID | CVE-2020-15652 CVE-2020-15655 CVE-2020-15653 CVE-2020-15656 CVE-2020-15658 CVE-2020-15657 CVE-2020-15654 CVE-2020-15659 CVE-2020-6514 CVE-2020-6463 |
CWE-ID | CWE-200 CWE-264 CWE-843 CWE-20 CWE-427 CWE-399 CWE-119 CWE-358 CWE-416 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #9 is available. |
Vulnerable software |
Mozilla Firefox Client/Desktop applications / Web browsers Firefox ESR Client/Desktop applications / Web browsers |
Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
EUVDB-ID: #VU32897
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15652
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in stack trace for JavaScript errors. A remote attacker can obtain result of a cross-origin redirect.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 78.0.2
Firefox ESR: 60.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32900
Risk: Medium
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15655
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists in the Extension APIs. A redirected HTTP request which is observed or modified through a web extension could bypass existing CORS checks, leading to potential disclosure of cross-origin information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 78.0.2
Firefox ESR: 78.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32901
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15653
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions, when allowing popups. A remote attacker can create a specially crafted web page with noopener
links that may allow an attacker to bypass iframe sandbox for websites relying on sandbox configurations, if allow-popups
flag is set.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 78.0.2
Firefox ESR: 78.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32902
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15656
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when JIT optimizations involving the Javascript arguments
object could confuse later optimizations in IonMonkey. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 78.0.2
Firefox ESR: 78.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32903
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15658
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient validation of special characters during file download,
which led to an attacker being able to cut off the file ending at an
earlier position, leading to a different file type being downloaded than
shown in the dialog. A remote attacker can override file type when saving data to disk.
Install updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 78.0.2
Firefox ESR: 78.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32904
Risk: Low
CVSSv3.1: 7.1 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15657
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the application loads DLL libraries in an insecure manner from the installation directory. A remote attacker can place a specially crafted .dll file into directory, from which Firefox is being installed, trick the victim into launching the Firefox installer and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 78.0.2
Firefox ESR: 78.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32906
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15654
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
When in an endless loop, a website specifying a custom cursor using CSS could make it look like the user is interacting with the user interface, when they are not. This could lead to a perceived broken state, especially when interactions with existing browser dialogs and warnings do not work.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 70.0 - 78.0.2
Firefox ESR: 78.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32899
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15659
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 60.0 - 78.0.2
Firefox ESR: 60.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU29860
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6514
CWE-ID:
CWE-358 - Improperly Implemented Security Check for Standard
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to WebRTC used the memory address of a class instance as a connection identifier. A remote attacker can use the obtained value to bypass ASLR protection. MitigationInstall updates from vendor's website.
Firefox ESR: 60.0 - 78.0.2
Mozilla Firefox: 60.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU29152
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-6463
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error in ANGLE in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a heap-based buffer overflow and execute arbitrary code on the system.
Install updates from vendor's website.
Firefox ESR: 60.0 - 78.0.2
Mozilla Firefox: 60.0 - 78.0.2
CPE2.3http://www.mozilla.org/en-US/security/advisories/mfsa2020-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-31/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-32/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.