CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
70.1%
By holding a reference to the eval() function from an about:blank window, a
malicious webpage could have gained access to the InstallTrigger object
which would allow them to prompt the user to install an extension. Combined
with user confusion, this could result in an unintended or malicious
extension being installed. This vulnerability affects Firefox < 80,
Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR <
78.2, and Firefox for Android < 80.
Author | Note |
---|---|
tyhicks | mozjs contains a copy of the SpiderMonkey JavaScript engine |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | firefox | < 80.0+build2-0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | firefox | < 80.0+build2-0ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 20.10 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 21.04 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 21.10 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 22.04 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 22.10 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 23.04 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 23.10 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
ubuntu | 24.04 | noarch | firefox | < 80.0.1+build1-0ubuntu1 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2020-15664
nvd.nist.gov/vuln/detail/CVE-2020-15664
rhn.redhat.com/errata/RHSA-2020-3558.html
security-tracker.debian.org/tracker/CVE-2020-15664
ubuntu.com/security/notices/USN-4474-1
www.cve.org/CVERecord?id=CVE-2020-15664
www.mozilla.org/en-US/security/advisories/mfsa2020-36/#CVE-2020-15664
www.mozilla.org/en-US/security/advisories/mfsa2020-37/#CVE-2020-15664
www.mozilla.org/en-US/security/advisories/mfsa2020-40/#CVE-2020-15664
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS
Percentile
70.1%