Severity

High

Analysis Summary

CVE-2020-15674

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2020-15678

Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free vulnerability. An iterator may become invalid when recursing through graphical layers while scrolling. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.

CVE-2020-15676

Mozilla Firefox is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when pasting attacker-controlled data into a contenteditable element. A remote attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE-2020-15677

Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, using an open redirect vulnerability. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the site displayed in the download file dialog to show the original site.

Impact

• Gain Access
• Denial of service
• Cross-site scripting

Affected Vendors

Mozilla

Affected Products

• Mozilla Firefox 80
• Mozilla Firefox ESR 78.2

Remediation

Refer to Mozilla advisory for the complete list of affected products and their respective patches.

https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/