Unrated severityNVD Advisory· Published Dec 9, 2020· Updated Aug 4, 2024
CVE-2020-26951
CVE-2020-26951
Description
A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
Affected products
33- osv-coords30 versionspkg:rpm/opensuse/firefox-esr&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/MozillaFirefox&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/MozillaThunderbird&distro=openSUSE%20Tumbleweedpkg:rpm/suse/MozillaFirefox&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP1pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/MozillaFirefox&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP1pkg:rpm/suse/MozillaThunderbird&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP2
< 128.5.1-1.1+ 29 more
- (no CPE)range: < 128.5.1-1.1
- (no CPE)range: < 78.5.0-lp151.2.79.1
- (no CPE)range: < 78.5.0-lp152.2.30.1
- (no CPE)range: < 92.0-1.2
- (no CPE)range: < 78.5.0-lp151.2.59.1
- (no CPE)range: < 78.5.0-lp152.2.19.1
- (no CPE)range: < 91.1.1-1.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-3.119.1
- (no CPE)range: < 78.5.0-8.17.1
- (no CPE)range: < 78.5.0-78.105.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-112.36.1
- (no CPE)range: < 78.5.0-3.107.1
- (no CPE)range: < 78.5.0-3.107.1
- Range: < 83
- Range: < 78.5
- Range: < 78.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- bugzilla.mozilla.org/show_bug.cgimitrex_refsource_MISC
- www.mozilla.org/security/advisories/mfsa2020-50/mitrex_refsource_CONFIRM
- www.mozilla.org/security/advisories/mfsa2020-51/mitrex_refsource_CONFIRM
- www.mozilla.org/security/advisories/mfsa2020-52/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.