Main Vulnerability Database SB2020110542

SB2020110542 - Session fixation in Mozilla VPN

Published: November 5, 2020

Security Bulletin ID SB2020110542

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Session Fixation (CVE-ID: CVE-2020-15679)

CWE-ID: CWE-384 - Session Fixation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to impersonate sessions of other application users.

The vulnerability exists within OAuth session handling functionality. A remote attacker can craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user.

This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions.

Remediation

Install update from vendor's website.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2020-48/

SB2020110542 - Session fixation in Mozilla VPN

Breakdown by Severity

Description

Remediation

References

Please verify you're human