CVE-2020-26951
6.1
MEDIUM
CVSS 3.1
EPSS 0.43%
Description
A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.
How to fix CVE-2020-26951
To remediate CVE-2020-26951, upgrade the affected package to a fixed version below.
- —upgrade to 78.5.0esr-1 or later
- —upgrade to 1:78.5.0-1 or later
Is CVE-2020-26951 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 78.5.0esr-1
- from 0, < 1:78.5.0-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |