Session Fixation in Mozilla products - CVE-2020-15679

 

Session Fixation in Mozilla products - CVE-2020-15679

Published: November 5, 2020


Vulnerability identifier: #VU48164
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-15679
CWE-ID: CWE-384
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Mozilla
Affected software:
Mozilla VPN Windows
Mozilla VPN iOS
Mozilla VPN Android

Detailed vulnerability description

The vulnerability allows a remote attacker to impersonate sessions of other application users.

The vulnerability exists within OAuth session handling functionality. A remote attacker can craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user.

This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions.


How to mitigate CVE-2020-15679

Install updates from vendor's website.

Sources