Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2020-26958 |
CWE-ID | CWE-264 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
firefox-esr (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU48463
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-26958
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due Firefox does not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. A remote attacker can exploit this behavior to perform a cross-site script inclusion vulnerability or bypass implemented Content Security Policy restrictions.
MitigationInstall update from vendor's website.
Vulnerable software versionsfirefox-esr (Alpine package): 78.3.1-r0 - 78.3.1-r1
CPE2.3http://git.alpinelinux.org/aports/commit/?id=2e45465b6ffd2da160f42818b5b2b4679a98f7a8
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.