First published: Tue Feb 11 2020(Updated: )
If a <template> tag was used in a <select%gt; tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result.
Credit: security@mozilla.org security@mozilla.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mozilla Thunderbird | <68.5 | 68.5 |
Mozilla Firefox ESR | <68.5 | 68.5 |
Mozilla Firefox | <73 | 73 |
Mozilla Firefox | <73.0 | |
Mozilla Firefox ESR | <68.5.0 | |
Mozilla Thunderbird | <68.5.0 | |
debian/firefox | 133.0.3-1 | |
debian/firefox-esr | 115.14.0esr-1~deb11u1 128.5.0esr-1~deb11u1 128.3.1esr-1~deb12u1 128.5.0esr-1~deb12u1 128.5.0esr-1 128.5.1esr-1 | |
debian/thunderbird | 1:115.12.0-1~deb11u1 1:128.5.0esr-1~deb11u1 1:115.16.0esr-1~deb12u1 1:128.5.0esr-1~deb12u1 1:128.5.2esr-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2020-6798 is a vulnerability that allows JavaScript parsing and execution in a select tag when a template tag is used, resulting in a potential cross-site scripting vulnerability.
Mozilla Firefox ESR version 68.5, Mozilla Firefox up to version 73.0, Mozilla Thunderbird up to version 68.5, and certain versions of Ubuntu Firefox and Thunderbird packages are affected by CVE-2020-6798.
The severity of CVE-2020-6798 is medium with a CVSS score of 6.1.
Update your Mozilla Firefox or Thunderbird to the latest version, or apply the recommended updates for the affected Ubuntu packages.
You can find more information about CVE-2020-6798 on the Mozilla Bugzilla and Mozilla Security Advisories websites.