#VU49015 Input validation error in Mozilla Firefox and Firefox ESR


Published: 2020-12-15

Vulnerability identifier: #VU49015

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-26973

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mozilla Firefox
Client/Desktop applications / Web browsers
Firefox ESR
Client/Desktop applications / Web browsers

Vendor: Mozilla

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input within CSS Sanitizer. A remote attacker can create a specially crafted web page, trick the victim into visiting it, and bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mozilla Firefox: 60.0 - 83.0

Firefox ESR: 78.0 - 78.5.0, 68.0 - 68.12.0, 60.0 - 60.9.0

CPE

External links
http://www.mozilla.org/en-US/security/advisories/mfsa2020-54/
http://www.mozilla.org/en-US/security/advisories/mfsa2020-55/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Ubuntu update for thunderbird
Input validation error in thunderbird (Alpine package)
Gentoo update for Mozilla Firefox, Mozilla Thunderbird
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 8.1 update for thunderbird
CentOS 7 update for thunderbird
Red Hat Enterprise Linux 8 update for thunderbird
Red Hat Enterprise Linux 8.2 update for thunderbird
Red Hat Enterprise Linux 7 update for thunderbird
Red Hat Enterprise Linux 8 update for firefox