CVE-2020-15666
First published: Tue Aug 25 2020(Updated: )
When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to inferring login status to services or device discovery on a local network among other attacks.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <80.0 | |
| Mozilla Firefox | <80.0 | |
| All of | ||
| Mozilla Firefox | =80 | |
| Google Android | ||
| Mozilla Firefox | <80 | 80 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID is CVE-2020-15666.
What is the severity of CVE-2020-15666?
The severity of CVE-2020-15666 is medium with a CVSS score of 6.5.
Which software products are affected by CVE-2020-15666?
Mozilla Firefox version 80 and Google Android are affected by CVE-2020-15666.
How does CVE-2020-15666 impact users?
CVE-2020-15666 can lead to the disclosure of exact status codes, which can enable attackers to infer login status.
How can I fix CVE-2020-15666?
Update Mozilla Firefox to version 80 or later to fix CVE-2020-15666.
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/mozilla-advisory
- agent/software-canonical-lookup-request
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/tags
- agent/event
- source/Mozilla
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/mozilla
- canonical/mozilla firefox
- version/mozilla firefox/80
- vendor/google
- canonical/google android