CVE-2020-15658

high

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

8.0

Description

The code for downloading files did not properly take care of special characters, which led to an attacker being able to cut off the file ending at an earlier position, leading to a different file type being downloaded than shown in the dialog. This vulnerability affects Firefox ESR < 78.1, Firefox < 79, and Thunderbird < 78.1.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-15658

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2020-15658.html

OS impact

OS	Version	Status	Fixed in
arch		fixed	`79.0-1`
sles		affected
debian	sid	fixed	`79.0-1`
debian	bookworm	fixed	`0`
debian	bullseye	fixed	`0`
debian	forky	fixed	`0`
debian	trixie	fixed	`0`

References

https://www.suse.com/security/cve/CVE-2020-15658.html
https://security-tracker.debian.org/tracker/CVE-2020-15658

Verify integrity in audit chain (admin only). AS-IS.