What is CVE-2020-26965?

CVE-2020-26965 is a vulnerability that allows the typed password in a password field to be revealed when using the "Show Password" feature on certain websites.

Which software products are affected by CVE-2020-26965?

CVE-2020-26965 affects Mozilla Firefox ESR (up to version 78.5), Mozilla Thunderbird (up to version 78.5), and Mozilla Firefox (up to version 83.0).

What is the severity of CVE-2020-26965?

CVE-2020-26965 has a severity value of 6.5, which is considered medium.

How can the CVE-2020-26965 vulnerability be fixed?

To fix the CVE-2020-26965 vulnerability, update Mozilla Firefox ESR to version 78.5 or later, update Mozilla Thunderbird to version 78.5 or later, or update Mozilla Firefox to version 83.0 or later.

Where can I find more information about CVE-2020-26965?

More information about CVE-2020-26965 can be found in the Mozilla Bugzilla report at https://bugzilla.mozilla.org/show_bug.cgi?id=1661617 and the Mozilla security advisories at https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/ and https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/

Vulnerability/
CVE-2020-26965

medium

6.5

CWE

212

17/11/2020

9/12/2020

4/8/2024

CVE-2020-26965

First published: Tue Nov 17 2020(Updated: )

Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password.

Credit: security@mozilla.org

Affected Software	Affected Version	How to fix
Mozilla Firefox ESR	<78.5	78.5
	<83	83
	<78.5	78.5
	<78.5	78.5
Mozilla Firefox	<83.0
Mozilla Firefox ESR	<78.5
Mozilla Thunderbird	<78.5

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

What is CVE-2020-26965?
CVE-2020-26965 is a vulnerability that allows the typed password in a password field to be revealed when using the "Show Password" feature on certain websites.
Which software products are affected by CVE-2020-26965?
CVE-2020-26965 affects Mozilla Firefox ESR (up to version 78.5), Mozilla Thunderbird (up to version 78.5), and Mozilla Firefox (up to version 83.0).
What is the severity of CVE-2020-26965?
CVE-2020-26965 has a severity value of 6.5, which is considered medium.
How can the CVE-2020-26965 vulnerability be fixed?
To fix the CVE-2020-26965 vulnerability, update Mozilla Firefox ESR to version 78.5 or later, update Mozilla Thunderbird to version 78.5 or later, or update Mozilla Firefox to version 83.0 or later.
Where can I find more information about CVE-2020-26965?
More information about CVE-2020-26965 can be found in the Mozilla Bugzilla report at https://bugzilla.mozilla.org/show_bug.cgi?id=1661617 and the Mozilla security advisories at https://www.mozilla.org/en-US/security/advisories/mfsa2020-51/ and https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/

collector/mozilla-advisory
agent/type
agent/last-modified-date
agent/first-publish-date
agent/softwarecombine
agent/references
agent/author
agent/severity
agent/weakness
source/Mozilla
agent/software-canonical-lookup
agent/event
agent/software-canonical-lookup-request
agent/description
agent/tags
collector/nvd-index
collector/mitre-cve
source/MITRE
vendor/mozilla
canonical/mozilla firefox esr
canonical/mozilla thunderbird
canonical/mozilla firefox