CVE-2020-6798 Information

Description

If a template tag was used in a select tag the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail but is potentially a risk in browser or browser-like contexts. This vulnerability affects Thunderbird 68.5 Firefox 73 and Firefox ESR68.5.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=1602944 https://security.gentoo.org/glsa/202003-02 https://security.gentoo.org/glsa/202003-10 https://usn.ubuntu.com/4278-2/ https://usn.ubuntu.com/4328-1/ https://usn.ubuntu.com/4335-1/ https://www.mozilla.org/security/advisories/mfsa2020-05/ https://www.mozilla.org/security/advisories/mfsa2020-06/ https://www.mozilla.org/security/advisories/mfsa2020-07/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1