{"api_version":"1","generated_at":"2026-04-23T02:17:17+00:00","cve":"CVE-2020-26962","urls":{"html":"https://cve.report/CVE-2020-26962","api":"https://cve.report/api/cve/CVE-2020-26962.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-26962","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-26962"},"summary":{"title":"CVE-2020-26962","description":"Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation. This vulnerability affects Firefox < 83.","state":"PUBLIC","assigner":"security@mozilla.org","published_at":"2020-12-09 01:15:00","updated_at":"2020-12-10 17:36:00"},"problem_types":["CWE-1021"],"metrics":[],"references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=610997","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=610997","refsource":"MISC","tags":["Issue Tracking","Permissions Required","Vendor Advisory"],"title":"610997 – Username + Password Autofill allows Forced Login via Clickjacking","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.mozilla.org/security/advisories/mfsa2020-50/","name":"https://www.mozilla.org/security/advisories/mfsa2020-50/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"Security Vulnerabilities fixed in Firefox 83 — Mozilla","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-26962","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26962","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"26962","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"26962","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mozilla","cpe5":"firefox","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-26962","qid":"500957","title":"Alpine Linux Security Update for firefox"},{"cve":"CVE-2020-26962","qid":"503842","title":"Alpine Linux Security Update for firefox"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-26962","ASSIGNER":"security@mozilla.org","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Mozilla","product":{"product_data":[{"product_name":"Firefox","version":{"version_data":[{"version_value":"< 83"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Cross-origin iframes supported login autofill"}]}]},"references":{"reference_data":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=610997","refsource":"MISC","name":"https://bugzilla.mozilla.org/show_bug.cgi?id=610997"},{"refsource":"CONFIRM","name":"https://www.mozilla.org/security/advisories/mfsa2020-50/","url":"https://www.mozilla.org/security/advisories/mfsa2020-50/"}]},"description":{"description_data":[{"lang":"eng","value":"Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation. This vulnerability affects Firefox < 83."}]}},"nvd":{"publishedDate":"2020-12-09 01:15:00","lastModifiedDate":"2020-12-10 17:36:00","problem_types":["CWE-1021"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*","versionEndExcluding":"83.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"26962","Ordinal":"188396","Title":"CVE-2020-26962","CVE":"CVE-2020-26962","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"26962","Ordinal":"1","NoteData":"Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation. This vulnerability affects Firefox < 83.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"26962","Ordinal":"2","NoteData":"2020-12-08","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"26962","Ordinal":"3","NoteData":"2020-12-08","Type":"Other","Title":"Modified"}]}}}