Published: 09/12/2020 Updated: 08/04/2022

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 970

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

The Mozilla Foundation Security Advisory describes this flaw as:Mozilla developer reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2020-15673) The Mozilla Foundation Security Advisory describes this flaw as:Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. (CVE-2020-15676) The Mozilla Foundation Security Advisory describes this flaw as:By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. (CVE-2020-15677) The Mozilla Foundation Security Advisory describes this flaw as:When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function `APZCTreeManager::ComputeClippedCompositionBounds` did not follow iterator invalidation rules. (CVE-2020-15678) Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4, Firefox < 82, and Thunderbird < 78.4. (CVE-2020-15683) Use after free in WebRTC in Google Chrome before 86.0.4240.75 allowed a remote malicious user to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15969) In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. (CVE-2020-26950)

Vulnerable Product	Search on Vulmon	Subscribe to Product
mozilla firefox
mozilla firefox esr
mozilla thunderbird

A use-after-free was found in Thunderbird, which could potentially result in the execution of arbitrary code For the stable distribution (buster), this problem has been fixed in version 1:7842-1~deb10u1 We recommend that you upgrade your thunderbird packages For the detailed security status of thunderbird please refer to its security tracker p ...

A use-after-free was found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code For the stable distribution (buster), this problem has been fixed in version 7841esr-1~deb10u1 We recommend that you upgrade your firefox-esr packages For the detailed security status of firefox-esr please refer to i ...

The Mozilla Foundation Security Advisory describes this flaw as:Mozilla developer reported memory safety bugs present in Firefox 80 and Firefox ESR 782 Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2020-15673) The Mozilla Foundatio ...

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 81 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring Sy ...

Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 82 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring Sy ...

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, wh ...

Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 82 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, wh ...

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability ...

Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic An update for firefox is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scoring System (CVSS) base score, wh ...

Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 81 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability ...

Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Synopsis Important: thunderbird security update Type/Severity Security Advisory: Important Topic An update for thunderbird is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vul ...

Mozilla Foundation Security Advisory 2020-49 Security Vulnerabilities fixed in Firefox 8203, Firefox ESR 7841, and Thunderbird 7842 Announced November 9, 2020 Impact critical Products Firefox, Firefox ESR, Thunderbird Fixed in ...

A use-after-free has been found in Firefox before 8203 where, in certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions ...

This Metasploit modules exploits CVE-2020-26950, a use-after-free exploit in Firefox The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives The shellcode is forced into ...

This modules exploits CVE-2020-26950, a use after free exploit in Firefox The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives ...

This modules exploits CVE-2020-26950, a use after free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2, however only Firefox <= 79 is supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1.

msf > use exploit/multi/browser/firefox_jit_use_after_free
msf exploit(firefox_jit_use_after_free) > show targets
    ...targets...
msf exploit(firefox_jit_use_after_free) > set TARGET < target-id >
msf exploit(firefox_jit_use_after_free) > show options
    ...show and set options...
msf exploit(firefox_jit_use_after_free) > exploit

CWE-416 https://bugzilla.mozilla.org/show_bug.cgi?id=1675905 https://www.mozilla.org/security/advisories/mfsa2020-49/http://packetstormsecurity.com/files/166175/Firefox-MCallGetProperty-Write-Side-Effects-Use-After-Free.html https://nvd.nist.gov https://www.debian.org/security/2020/dsa-4790 https://www.rapid7.com/db/modules/exploit/multi/browser/firefox_jit_use_after_free/https://alas.aws.amazon.com/AL2/ALAS-2020-1572.html

Get Started

CVE-2020-26950

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Metasploit Modules

References

Vulmon Search

About

Products

Connect