Main Vulnerability Database Vulnerabilities #VU48475

Spoofing attack in Firefox for Android - CVE-2020-26954

Published: November 17, 2020

Vulnerability identifier: #VU48475

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-26954

CWE-ID: CWE-451

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Firefox for Android

Software vendor:
Mozilla

Description

The vulnerability allows a local application to perform spoofing attack.

The vulnerability exists due to incorrect processing of web manifests. When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/

Spoofing attack in Firefox for Android - CVE-2020-26954

Description

Remediation

External links

Please verify you're human