CVE-2020-26967 (GCVE-0-2020-26967)

Vulnerability from cvelistv5 – Published: 2020-12-09 00:25 – Updated: 2024-08-04 16:03
VLAI?
Summary
When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability affects Firefox < 83.
Severity ?
No CVSS data available.
CWE
  • Mutation Observers could break or confuse Firefox Screenshots feature
Assigner
References
Impacted products
Vendor Product Version
Mozilla Firefox Affected: < 83
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T16:03:23.194Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1665820"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 83"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability affects Firefox \u003c 83."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Mutation Observers could break or confuse Firefox Screenshots feature",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-12-09T00:25:40",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1665820"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@mozilla.org",
          "ID": "CVE-2020-26967",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Firefox",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 83"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Mozilla"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability affects Firefox \u003c 83."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Mutation Observers could break or confuse Firefox Screenshots feature"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1665820",
              "refsource": "MISC",
              "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1665820"
            },
            {
              "name": "https://www.mozilla.org/security/advisories/mfsa2020-50/",
              "refsource": "CONFIRM",
              "url": "https://www.mozilla.org/security/advisories/mfsa2020-50/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2020-26967",
    "datePublished": "2020-12-09T00:25:40",
    "dateReserved": "2020-10-12T00:00:00",
    "dateUpdated": "2024-08-04T16:03:23.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"83.0\", \"matchCriteriaId\": \"9385C808-43DD-4D02-B1A9-89A2E3986DF2\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability affects Firefox \u003c 83.\"}, {\"lang\": \"es\", \"value\": \"Cuando se escuchan unos cambios de p\\u00e1gina con un Mutation Observer, una p\\u00e1gina web maliciosa podr\\u00eda confundir unas Screenshots de Firefox para interactuar con elementos distintos a los que inyect\\u00f3 en la p\\u00e1gina.\u0026#xa0;Esto conllevar\\u00eda a errores internos y un comportamiento inesperado en el c\\u00f3digo de Screenshots.\u0026#xa0;Esta vulnerabilidad afecta a Firefox versiones anteriores a 83\"}]",
      "id": "CVE-2020-26967",
      "lastModified": "2024-11-21T05:20:35.797",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-12-09T01:15:13.643",
      "references": "[{\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1665820\", \"source\": \"security@mozilla.org\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2020-50/\", \"source\": \"security@mozilla.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.mozilla.org/show_bug.cgi?id=1665820\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Vendor Advisory\"]}, {\"url\": \"https://www.mozilla.org/security/advisories/mfsa2020-50/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@mozilla.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-26967\",\"sourceIdentifier\":\"security@mozilla.org\",\"published\":\"2020-12-09T01:15:13.643\",\"lastModified\":\"2024-11-21T05:20:35.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. This vulnerability affects Firefox \u003c 83.\"},{\"lang\":\"es\",\"value\":\"Cuando se escuchan unos cambios de p\u00e1gina con un Mutation Observer, una p\u00e1gina web maliciosa podr\u00eda confundir unas Screenshots de Firefox para interactuar con elementos distintos a los que inyect\u00f3 en la p\u00e1gina.\u0026#xa0;Esto conllevar\u00eda a errores internos y un comportamiento inesperado en el c\u00f3digo de Screenshots.\u0026#xa0;Esta vulnerabilidad afecta a Firefox versiones anteriores a 83\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"83.0\",\"matchCriteriaId\":\"9385C808-43DD-4D02-B1A9-89A2E3986DF2\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1665820\",\"source\":\"security@mozilla.org\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-50/\",\"source\":\"security@mozilla.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.mozilla.org/show_bug.cgi?id=1665820\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Vendor Advisory\"]},{\"url\":\"https://www.mozilla.org/security/advisories/mfsa2020-50/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.