CVE-2020-15666

Published: Oct 1, 2020Modified: Jun 17, 2026

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

When trying to load a non-video in an audio/video context the exact status code (200, 302, 404, 500, 412, 403, etc.) was disclosed via the MediaError Message. This level of information leakage is inconsistent with the standardized onerror/onsuccess disclosure and can lead to inferring login status to services or device discovery on a local network among other attacks. This vulnerability affects Firefox < 80 and Firefox for Android < 80.

Affected (2)

Products: Mozilla: Firefox

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 80.0
Mozilla Firefox	Before 80.0

Related CWEs

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

References (6)

https://bugzilla.mozilla.org/show_bug.cgi?id=1450853

Source: security@mozilla.org

ExploitIssue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-36/

Source: security@mozilla.org

Release NotesVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-39/

Source: security@mozilla.org

Release NotesVendor Advisory

https://bugzilla.mozilla.org/show_bug.cgi?id=1450853

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-36/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://www.mozilla.org/security/advisories/mfsa2020-39/

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.