Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2020-15662 CVE-2020-15661 CVE-2020-15651 |
CWE-ID | CWE-264 CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Firefox for iOS Mobile applications / Apps for mobile phones |
Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU32931
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15662
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a rogue webpage could override the injected WKUserScript used by the
download feature. A remote attacker can trick the browser into downloading an unintended file to the device.
Install updates from vendor's website.
Vulnerable software versionsFirefox for iOS: 20.0 - 27.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32932
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15661
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a rogue webpage could override the injected WKUserScript used by the logins autofill. A remote attacker can gain access to user's passwords for the current domain.
Install updates from vendor's website.
Vulnerable software versionsFirefox for iOS: 20.0 - 27.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU32933
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15651
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of filenames when downloading files, as a unicode RTL order character in the downloaded file name can be used to
change the file's name during the download UI flow to change the file
extension. A remote attacker can trick the victim into downloading malicious files to the system.
Install updates from vendor's website.
Vulnerable software versionsFirefox for iOS: 20.0 - 27.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-34/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.