CVE-2020-15664
First published: Tue Aug 25 2020(Updated: )
By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed.
Credit: security@mozilla.org security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox ESR | <78.2 | 78.2 |
| Mozilla Firefox ESR | <68.12 | 68.12 |
| Mozilla Thunderbird | <68.12 | 68.12 |
| Mozilla Thunderbird | <78.2 | 78.2 |
| All of | ||
| Mozilla Firefox | =80 | |
| Google Android | ||
| Mozilla Firefox | <80 | 80 |
| Mozilla Firefox | <80.0 | |
| Mozilla Firefox | <80.0 | |
| Mozilla Firefox ESR | <68.12 | |
| Mozilla Firefox ESR | >=78.0<78.2 | |
| Mozilla Thunderbird | <68.12 | |
| Mozilla Thunderbird | >=78.0<78.2 | |
| Mozilla Firefox | >=78.0<78.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.mozilla.org/show_bug.cgi?id=1658214
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-38/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-37/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-39/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/
- https://www.mozilla.org/en-US/security/advisories/mfsa2020-41/
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- https://www.mozilla.org/security/advisories/mfsa2020-37/
- https://www.mozilla.org/security/advisories/mfsa2020-38/
- https://www.mozilla.org/security/advisories/mfsa2020-39/
- https://www.mozilla.org/security/advisories/mfsa2020-40/
- https://www.mozilla.org/security/advisories/mfsa2020-41/
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is CVE-2020-15664?
CVE-2020-15664 is a vulnerability that allowed a malicious webpage to gain access to the InstallTrigger object and prompt the user to install an extension.
Which software versions are affected by CVE-2020-15664?
Mozilla Thunderbird versions up to 78.2, Thunderbird versions up to 68.12, Mozilla Firefox versions up to 80, Mozilla Firefox ESR versions up to 78.2, and Mozilla Firefox ESR versions up to 68.12 are affected by CVE-2020-15664.
What is the severity of CVE-2020-15664?
The severity of CVE-2020-15664 is high with a severity value of 6.5.
How can I fix CVE-2020-15664?
To fix CVE-2020-15664, it is recommended to update to the patched versions of the affected software.
Where can I find more information about CVE-2020-15664?
You can find more information about CVE-2020-15664 on the Mozilla Bugzilla and Mozilla Security Advisories websites.
- collector/mozilla-advisory
- agent/type
- agent/first-publish-date
- source/Mozilla
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/severity
- agent/description
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/event
- agent/softwarecombine
- agent/tags
- agent/trending
- vendor/mozilla
- canonical/mozilla firefox esr
- canonical/mozilla thunderbird
- canonical/mozilla firefox
- version/mozilla firefox/80
- vendor/google
- canonical/google android
- version/mozilla firefox esr/78.0
- version/mozilla thunderbird/78.0
- version/mozilla firefox/78.0