CVE-2020-15682
First published: Tue Oct 20 2020(Updated: )
When a link to an external protocol was clicked, a prompt was presented that allowed the user to choose what application to open it in. An attacker could induce that prompt to be associated with an origin they didn't control, resulting in a spoofing attack. This was fixed by changing external protocol prompts to be tab-modal while also ensuring they could not be incorrectly associated with a different origin.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mozilla Firefox | <82 | 82 |
| <82 | 82 | |
| Mozilla Firefox | <82.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-15682.
What is the severity of CVE-2020-15682?
The severity of CVE-2020-15682 is low.
How does CVE-2020-15682 work?
When a link to an external protocol is clicked, a prompt is presented that allows the user to choose what application to open it in. An attacker can induce that prompt to be associated with an origin they don't control, resulting in a spoofing attack.
Which software is affected by CVE-2020-15682?
Mozilla Firefox versions up to exclusive 82 are affected by CVE-2020-15682.
How was CVE-2020-15682 fixed?
CVE-2020-15682 was fixed by changing external protocol handling in Mozilla Firefox.
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- collector/mozilla-advisory
- source/Mozilla
- agent/software-canonical-lookup
- agent/tags
- agent/event
- agent/software-canonical-lookup-request
- vendor/mozilla
- canonical/mozilla firefox