{"api_version":"1","generated_at":"2026-04-23T02:14:31+00:00","cve":"CVE-2020-15677","urls":{"html":"https://cve.report/CVE-2020-15677","api":"https://cve.report/api/cve/CVE-2020-15677.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-15677","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-15677"},"summary":{"title":"CVE-2020-15677","description":"By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2020-10-01 19:15:00","updated_at":"2022-11-16 15:15:00"},"problem_types":["CWE-601"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2020/dsa-4770","name":"DSA-4770","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4770-1 thunderbird","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.html","name":"openSUSE-SU-2020:1785","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1785-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-44/","name":"https://www.mozilla.org/security/advisories/mfsa2020-44/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Thunderbird 78.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.html","name":"openSUSE-SU-2020:1780","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1780-1: important: Security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1641487","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1641487","refsource":"MISC","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"Access Denied","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-43/","name":"https://www.mozilla.org/security/advisories/mfsa2020-43/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox ESR 78.3 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-42/","name":"https://www.mozilla.org/security/advisories/mfsa2020-42/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox 81 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00020.html","name":"[debian-lts-announce] 20201016 [SECURITY] [DLA 2408-1] thunderbird security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2408-1] thunderbird security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202010-02","name":"GLSA-202010-02","refsource":"GENTOO","tags":[],"title":"Mozilla Firefox, Mozilla Thunderbird: Multiple vulnerabilities (GLSA 202010-02) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-15677","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15677","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox_esr","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"thunderbird","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15677","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-15677","qid":"296071","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 27.82.1 Missing (CPUOCT2020)"},{"cve":"CVE-2020-15677","qid":"500936","title":"Alpine Linux Security Update for firefox-esr"},{"cve":"CVE-2020-15677","qid":"500954","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2020-15677","qid":"503839","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2020-15677","qid":"750615","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2020:1574-1)"},{"cve":"CVE-2020-15677","qid":"750622","title":"OpenSUSE Security Update for MozillaFirefox (openSUSE-SU-2020:1555-1)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-15677","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"81","version_affected":"<"}]}},{"product_name":"Thunderbird","version":{"version_data":[{"version_value":"78.3","version_affected":"<"}]}},{"product_name":"Firefox ESR","version":{"version_data":[{"version_value":"78.3","version_affected":"<"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Download origin spoofing via redirect"}]}]},"references":{"reference_data":[{"url":"https://www.mozilla.org/security/advisories/mfsa2020-43/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2020-43/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-44/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2020-44/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-42/","refsource":"MISC","name":"https://www.mozilla.org/security/advisories/mfsa2020-42/"},{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1641487","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=1641487"},{"refsource":"DEBIAN","name":"DSA-4770","url":"https://www.debian.org/security/2020/dsa-4770"},{"refsource":"MLIST","name":"[debian-lts-announce] 20201016 [SECURITY] [DLA 2408-1] thunderbird security update","url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00020.html"},{"refsource":"GENTOO","name":"GLSA-202010-02","url":"https://security.gentoo.org/glsa/202010-02"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1780","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00074.html"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1785","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00077.html"}]},"description":{"description_data":[{"lang":"eng","value":"By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3."}]}},"nvd":{"publishedDate":"2020-10-01 19:15:00","lastModifiedDate":"2022-11-16 15:15:00","problem_types":["CWE-601"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*","versionEndExcluding":"78.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*","versionEndExcluding":"78.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"81.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"15677","Ordinal":"177075","Title":"CVE-2020-15677","CVE":"CVE-2020-15677","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"15677","Ordinal":"1","NoteData":"By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from. This vulnerability affects Firefox < 81, Thunderbird < 78.3, and Firefox ESR < 78.3.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"15677","Ordinal":"2","NoteData":"2020-10-01","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"15677","Ordinal":"3","NoteData":"2020-10-31","Type":"Other","Title":"Modified"}]}}}