CVE-2020-15664

Name: CVE-2020-15664
Creator: NVD / NIST
Published: 2020-10-01T19:15:13.047+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 1.36%

Last modified Jun 17, 2026

CVE-2020-15664 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. EPSS estimates a 1.36% chance of exploitation in the next 30 days.

Description

By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS Probability

1.36%

68.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-863

Affected Software

Vendor	Product	Versions
Mozilla	Firefox	< 80.0
Mozilla	Firefox	>= 78.0, < 78.2
Mozilla	Firefox Esr	< 68.12
Mozilla	Thunderbird	< 68.12
Mozilla	Thunderbird	>= 78.0, < 78.2

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1658214Issue Tracking, Permissions Required, Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-36/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-37/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-38/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-39/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-40/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-41/Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1658214Issue Tracking, Permissions Required, Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-36/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-37/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-38/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-39/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-40/Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2020-41/Vendor Advisory

Timeline

Published: Oct 1, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-15664?

How severe is CVE-2020-15664?

CVE-2020-15664 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.36% probability of exploitation in the next 30 days.

How do I fix CVE-2020-15664?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-15664?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST