What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2020-26956.

What is the affected software?

The affected software includes Mozilla Firefox ESR version up to 78.5, Mozilla Firefox version up to 83, and Mozilla Thunderbird version up to 78.5.

What is the severity of CVE-2020-26956?

The severity of CVE-2020-26956 is medium (severity value: 4).

How does CVE-2020-26956 affect the software?

CVE-2020-26956 can lead to XSS (cross-site scripting) by allowing existing SVG event handlers to remain after removing HTML elements during sanitization.

How can I fix CVE-2020-26956?

To fix CVE-2020-26956, update to the appropriate version of Mozilla Firefox ESR or Mozilla Thunderbird.

Vulnerability/
CVE-2020-26956

medium

6.1

CWE

17/11/2020

9/12/2020

4/8/2024

CVE-2020-26956: XSS

First published: Tue Nov 17 2020(Updated: )

In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS.

Credit: security@mozilla.org

Affected Software	Affected Version	How to fix
Mozilla Firefox ESR	<78.5	78.5
	<83	83
	<78.5	78.5
	<78.5	78.5
Mozilla Firefox	<83.0
Mozilla Firefox ESR	<78.5
Mozilla Thunderbird	<78.5

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-26956.
What is the affected software?
The affected software includes Mozilla Firefox ESR version up to 78.5, Mozilla Firefox version up to 83, and Mozilla Thunderbird version up to 78.5.
What is the severity of CVE-2020-26956?
The severity of CVE-2020-26956 is medium (severity value: 4).
How does CVE-2020-26956 affect the software?
CVE-2020-26956 can lead to XSS (cross-site scripting) by allowing existing SVG event handlers to remain after removing HTML elements during sanitization.
How can I fix CVE-2020-26956?
To fix CVE-2020-26956, update to the appropriate version of Mozilla Firefox ESR or Mozilla Thunderbird.

collector/mozilla-advisory
agent/type
agent/last-modified-date
agent/first-publish-date
agent/softwarecombine
agent/references
agent/author
agent/severity
source/Mozilla
agent/software-canonical-lookup
agent/event
agent/description
agent/software-canonical-lookup-request
agent/weakness
agent/tags
collector/nvd-index
collector/mitre-cve
source/MITRE
vendor/mozilla
canonical/mozilla firefox esr
canonical/mozilla thunderbird
canonical/mozilla firefox

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.