Main Vulnerability Database Vulnerabilities #VU48164

#VU48164 Session Fixation in Mozilla products - CVE-2020-15679

Published: November 5, 2020

Vulnerability identifier: #VU48164

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2020-15679

CWE-ID: CWE-384

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Mozilla VPN Windows
Mozilla VPN iOS
Mozilla VPN Android

Software vendor:
Mozilla

Description

The vulnerability allows a remote attacker to impersonate sessions of other application users.

The vulnerability exists within OAuth session handling functionality. A remote attacker can craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user.

This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions.

Remediation

Install updates from vendor's website.

External links

https://www.mozilla.org/en-US/security/advisories/mfsa2020-48/

#VU48164 Session Fixation in Mozilla products - CVE-2020-15679

Description

Remediation

External links

Please verify you're human