{"containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "84", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "78.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "78.6", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6."}], "problemTypes": [{"descriptions": [{"description": "Internal network hosts could have been probed by a malicious webpage", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-07T13:51:36", "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-54/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-56/"}, {"tags": ["x_refsource_MISC"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-55/"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677047"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@mozilla.org", "ID": "CVE-2020-26978", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Firefox", "version": {"version_data": [{"version_affected": "<", "version_value": "84"}]}}, {"product_name": "Thunderbird", "version": {"version_data": [{"version_affected": "<", "version_value": "78.6"}]}}, {"product_name": "Firefox ESR", "version": {"version_data": [{"version_affected": "<", "version_value": "78.6"}]}}]}, "vendor_name": "Mozilla"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Internal network hosts could have been probed by a malicious webpage"}]}]}, "references": {"reference_data": [{"name": "https://www.mozilla.org/security/advisories/mfsa2020-54/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2020-54/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2020-56/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2020-56/"}, {"name": "https://www.mozilla.org/security/advisories/mfsa2020-55/", "refsource": "MISC", "url": "https://www.mozilla.org/security/advisories/mfsa2020-55/"}, {"name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677047", "refsource": "MISC", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677047"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:03:23.179Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-54/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-56/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-55/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677047"}]}]}, "cveMetadata": {"assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "assignerShortName": "mozilla", "cveId": "CVE-2020-26978", "datePublished": "2021-01-07T13:51:36", "dateReserved": "2020-10-12T00:00:00", "dateUpdated": "2024-08-04T16:03:23.179Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "85154F06-6654-493F-8630-38637ED7D8D0", "versionEndExcluding": "84.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*", "matchCriteriaId": "4535E34E-E949-48ED-A8F5-7D93B4731EA6", "versionEndExcluding": "78.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "048CBDDB-2C1B-415B-8DF9-54C002236180", "versionEndExcluding": "78.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6."}, {"lang": "es", "value": "Usando t\u00e9cnicas que se basaron en la investigaci\u00f3n de slipstream, una p\u00e1gina web maliciosa podr\u00eda haber expuesto tanto los hosts de una red interna como los servicios que se ejecutan en la m\u00e1quina local del usuario.&#xa0;Esta vulnerabilidad afecta a Firefox versiones anteriores a 84, Thunderbird versiones anteriores a 78,6 y Firefox ESR versiones anteriores a 78,6"}], "id": "CVE-2020-26978", "lastModified": "2021-01-12T16:14:52.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-07T14:15:12.297", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1677047"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-54/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-55/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2020-56/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Ben Seri, Gregory Vishnepolsky, and Samy Kamkar as the original reporters.", "affected_release": [{"advisory": "RHSA-2020:5561", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "firefox-0:78.6.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-12-16T00:00:00Z"}, {"advisory": "RHSA-2020:5618", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "thunderbird-0:78.6.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2020-12-17T00:00:00Z"}, {"advisory": "RHSA-2020:5562", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:78.6.0-1.el8_3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-12-16T00:00:00Z"}, {"advisory": "RHSA-2020:5624", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:78.6.0-1.el8_3", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-12-17T00:00:00Z"}, {"advisory": "RHSA-2020:5565", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "firefox-0:78.6.0-1.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-12-16T00:00:00Z"}, {"advisory": "RHSA-2020:5645", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "thunderbird-0:78.6.0-1.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-12-21T00:00:00Z"}, {"advisory": "RHSA-2020:5564", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "firefox-0:78.6.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-12-16T00:00:00Z"}, {"advisory": "RHSA-2020:5644", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "thunderbird-0:78.6.0-1.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-12-21T00:00:00Z"}, {"advisory": "RHSA-2020:5563", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "firefox-0:78.6.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2020-12-16T00:00:00Z"}, {"advisory": "RHSA-2020:5622", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "thunderbird-0:78.6.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2020-12-17T00:00:00Z"}], "bugzilla": {"description": "Mozilla: Internal network hosts could have been probed by a malicious webpage", "id": "1908025", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1908025"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.", "The Mozilla Foundation Security Advisory describes this flaw as:\nUsing techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine."], "name": "CVE-2020-26978", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2020-12-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-26978\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26978\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-55/#CVE-2020-26978"], "threat_severity": "Moderate", "upstream_fix": "thunderbird 78.6, firefox 78.6"}