Permissions, Privileges, and Access Controls in Firefox for Android - CVE-2020-26975
Published: December 15, 2020
Vulnerability identifier: #VU49017
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-26975
CWE-ID: CWE-264
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Mozilla
Affected software:
Firefox for Android
Firefox for Android
Detailed vulnerability description
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to application does not properly impose security restrictions. When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers
How to mitigate CVE-2020-26975
Install updates from vendor's website.