GSD-2020-15677
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-15677",
"description": "By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox \u003c 81, Thunderbird \u003c 78.3, and Firefox ESR \u003c 78.3.",
"id": "GSD-2020-15677",
"references": [
"https://www.suse.com/security/cve/CVE-2020-15677.html",
"https://www.debian.org/security/2020/dsa-4770",
"https://www.debian.org/security/2020/dsa-4768",
"https://access.redhat.com/errata/RHSA-2020:4163",
"https://access.redhat.com/errata/RHSA-2020:4158",
"https://access.redhat.com/errata/RHSA-2020:4157",
"https://access.redhat.com/errata/RHSA-2020:4156",
"https://access.redhat.com/errata/RHSA-2020:4155",
"https://access.redhat.com/errata/RHSA-2020:4080",
"https://access.redhat.com/errata/RHSA-2020:3835",
"https://access.redhat.com/errata/RHSA-2020:3834",
"https://access.redhat.com/errata/RHSA-2020:3833",
"https://access.redhat.com/errata/RHSA-2020:3832",
"https://ubuntu.com/security/CVE-2020-15677",
"https://advisories.mageia.org/CVE-2020-15677.html",
"https://security.archlinux.org/CVE-2020-15677",
"https://linux.oracle.com/cve/CVE-2020-15677.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-15677"
],
"details": "By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox \u003c 81, Thunderbird \u003c 78.3, and Firefox ESR \u003c 78.3.",
"id": "GSD-2020-15677",
"modified": "2023-12-13T01:21:43.382273Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2020-15677",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "81"
}
]
}
},
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "78.3"
}
]
}
},
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "78.3"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox \u003c 81, Thunderbird \u003c 78.3, and Firefox ESR \u003c 78.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Download origin spoofing via redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2020-43/",
"refsource": "MISC",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-43/"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2020-44/",
"refsource": "MISC",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-44/"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2020-42/",
"refsource": "MISC",
"url": "https://www.mozilla.org/security/advisories/mfsa2020-42/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1641487",
"refsource": "MISC",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1641487"
},
{
"name": "DSA-4770",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4770"
},
{
"name": "[debian-lts-announce] 20201016 [SECURITY] [DLA 2408-1] thunderbird security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00020.html"
},
{
"name": "GLSA-202010-02",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202010-02"
},
{
"name": "openSUSE-SU-2020:1780",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.html"
},
{
"name": "openSUSE-SU-2020:1785",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.html"
}
]
}
},
"mozilla.org": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2020-15677"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Firefox ESR",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "78.3"
}
]
}
},
{
"product_name": "Thunderbird",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "78.3"
}
]
}
},
{
"product_name": "Firefox",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "81"
}
]
}
}
]
},
"vendor_name": "Mozilla"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox ESR \u003c 78.3, Thunderbird \u003c 78.3, and Firefox \u003c 81."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Download origin spoofing via redirect"
}
]
}
]
},
"references": {
"reference_data": [
{
"url": "https://www.mozilla.org/security/advisories/mfsa2020-44/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2020-43/"
},
{
"url": "https://www.mozilla.org/security/advisories/mfsa2020-42/"
},
{
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1641487"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "78.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "78.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "81.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@mozilla.org",
"ID": "CVE-2020-15677"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox \u003c 81, Thunderbird \u003c 78.3, and Firefox ESR \u003c 78.3."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mozilla.org/security/advisories/mfsa2020-42/",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2020-42/"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2020-43/",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2020-43/"
},
{
"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1641487",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Permissions Required",
"Vendor Advisory"
],
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1641487"
},
{
"name": "https://www.mozilla.org/security/advisories/mfsa2020-44/",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://www.mozilla.org/security/advisories/mfsa2020-44/"
},
{
"name": "DSA-4770",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4770"
},
{
"name": "[debian-lts-announce] 20201016 [SECURITY] [DLA 2408-1] thunderbird security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00020.html"
},
{
"name": "GLSA-202010-02",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202010-02"
},
{
"name": "openSUSE-SU-2020:1785",
"refsource": "SUSE",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.html"
},
{
"name": "openSUSE-SU-2020:1780",
"refsource": "SUSE",
"tags": [
"Broken Link",
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2022-11-16T15:15Z",
"publishedDate": "2020-10-01T19:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…