CVE-2020-26979 - OpenCVE

When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Mozilla	Firefox

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

References

Link	Resource
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1641287%2C1673299	Exploit Issue Tracking Patch Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-54/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mozilla

Published: 2021-01-07T13:51:22

Updated: 2021-01-07T13:51:22

Reserved: 2020-10-12T00:00:00

Link: CVE-2020-26979

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-07T14:15:12.377

Modified: 2021-01-12T16:38:37.330

Link: CVE-2020-26979

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "84", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84."}], "problemTypes": [{"descriptions": [{"description": "When entering an address in the address or search bars, a website could have redirected the user before they were navigated to the intended url", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-07T13:51:22", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-54/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1641287%2C1673299"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2020-26979", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_affected": "<", "version_value": "84"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "When entering an address in the address or search bars, a website could have redirected the user before they were navigated to the intended url"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2020-54/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2020-54/"}, {"name": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1641287%2C1673299", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1641287%2C1673299"}]}}}}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2020-26979", "datePublished": "2021-01-07T13:51:22", "dateReserved": "2020-10-12T00:00:00", "dateUpdated": "2021-01-07T13:51:22", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "85154F06-6654-493F-8630-38637ED7D8D0", "versionEndExcluding": "84.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When a user typed a URL in the address bar or the search bar and quickly hit the enter key, a website could sometimes capture that event and then redirect the user before navigation occurred to the desired, entered address. To construct a convincing spoof the attacker would have had to guess what the user was typing, perhaps by suggesting it. This vulnerability affects Firefox < 84."}, {"lang": "es", "value": "Cuando un usuario escribi\u00f3 una URL en la barra de direcciones o en la barra de b\u00fasqueda y presion\u00f3 r\u00e1pidamente la tecla Intro, un sitio web a veces pod\u00eda capturar ese evento y luego redireccionar al usuario antes de que la navegaci\u00f3n ocurriera hacia la direcci\u00f3n ingresada deseada. Para construir una copia convincente, el atacante habr\u00eda tenido que adivinar lo que estaba escribiendo el usuario, quiz\u00e1s sugiri\u00e9ndolo. Esta vulnerabilidad afecta a Firefox versiones anteriores a 84"}], "id": "CVE-2020-26979", "lastModified": "2021-01-12T16:38:37.330", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-07T14:15:12.377", "references": [{"source": "security@mozilla.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1641287%2C1673299"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-54/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}