CVE-2020-8276

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-8276

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8276.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-8276

Published

2020-11-09T15:15:13.600Z

Modified

2026-04-10T04:28:21.416977Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window.

References

https://hackerone.com/reports/1024668

Affected packages

Git / github.com/brave/brave-browser

Affected ranges

Type

GIT

Repo

https://github.com/brave/brave-browser

Events

Introduced

Last affected

450c1fc3f6836711b1788b32729ce9b14ab95104

Database specific

{
    "versions": [
        {
            "introduced": "1.1"
        },
        {
            "last_affected": "1.18.35"
        }
    ]
}

Affected versions

Other

dev-latest

v0.*

v0.50.13

v0.50.14

v0.54.0

v0.54.1

v0.54.2

v0.54.3

v0.54.4

v0.55.1

v0.55.2

v0.55.3

v0.55.4

v0.55.5

v1.*

v1.18.35

v1.5.100b

v1.5.58b

v1.5.59b

v1.5.89b

v1.5.90b

v1.5.97b

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8276.json"