CVE-2020-6798 - log back

CVE-2020-6798 edited at 13 Feb 2020 09:20:45
Description
- An incorrect parsing of template could result in Javascript injection in Firefox before 73.0. If a <template> tag was used in a <select%gt; tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result.
+ An incorrect parsing of template could result in Javascript injection in Firefox before 73.0 and Thunderbird before 68.5. If a <template> tag was used in a <select%gt; tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result.
In general, this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but is potentially a risk in browser or browser-like contexts.
CVE-2020-6798 edited at 13 Feb 2020 09:20:34
Description
An incorrect parsing of template could result in Javascript injection in Firefox before 73.0. If a <template> tag was used in a <select%gt; tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result.
+ In general, this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but is potentially a risk in browser or browser-like contexts.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6798
+ https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6798
https://bugzilla.mozilla.org/show_bug.cgi?id=1602944
CVE-2020-6798 edited at 11 Feb 2020 15:12:36
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Cross-site scripting
Description
+ An incorrect parsing of template could result in Javascript injection in Firefox before 73.0. If a <template> tag was used in a <select%gt; tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2020-05/#CVE-2020-6798
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1602944
Notes
CVE-2020-6798 created at 11 Feb 2020 15:10:13