Session fixation in Mozilla VPN
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-15679 |
| CWE-ID | CWE-384 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Mozilla VPN Windows Client/Desktop applications / Other client software Mozilla VPN iOS Mobile applications / Apps for mobile phones Mozilla VPN Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Session Fixation
EUVDB-ID: #VU48164
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15679
CWE-ID:
CWE-384 - Session Fixation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to impersonate sessions of other application users.
The vulnerability exists within OAuth session handling functionality. A remote attacker can craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user.
This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla VPN Windows: 0.13 - 1.2
Mozilla VPN iOS: 1.0.0 - 1.0.6
Mozilla VPN Android: 1.0.0
External linkshttp://www.mozilla.org/en-US/security/advisories/mfsa2020-48/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
