Vulnerability identifier: #VU48164
Vulnerability risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-384
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Mozilla VPN Windows
Client/Desktop applications /
Other client software
Mozilla VPN iOS
Mobile applications /
Apps for mobile phones
Mozilla VPN Android
Mobile applications /
Apps for mobile phones
Vendor: Mozilla
Description
The vulnerability allows a remote attacker to impersonate sessions of other application users.
The vulnerability exists within OAuth session handling functionality. A remote attacker can craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user.
This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Mozilla VPN Windows: 0.13 - 1.2
Mozilla VPN iOS: 1.0.0 - 1.0.6
Mozilla VPN Android: 1.0.0
External links
http://www.mozilla.org/en-US/security/advisories/mfsa2020-48/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.