CVE-2020-15679Session Fixation in Mozilla VPN Android 1.1.0

CWE-384Session Fixation4 documents4 sources
Severity
7.6HIGHNVD
EPSS
0.6%
top 31.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mozilla VPN Android 1.1.0Mozilla VPN IOS 1.0.7Mozilla VPN Windows+1 more
Timeline
PublishedDec 22

Description

An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (13

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:HExploitability: 2.8 | Impact: 4.7

Affected Packages4 packages

CVEListV5mozilla/mozilla_vpn_windowsunspecified1.2.2
CVEListV5mozilla/mozilla_vpn_android_1.1.0unspecified(1360)
NVDmozilla/vpn1.0.71.0.7_\(929\)+3
CVEListV5mozilla/mozilla_vpn_ios_1.0.7unspecified(929)

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
CVE-2020-15679: An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login2022-12-22
GHSA
GHSA-6pmm-vfgm-49r7: An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login2022-12-22

📋Vendor Advisories

1
Mozilla
Mozilla Foundation Security Advisory 2020-48: CVE-2020-15679
CVE-2020-15679 — Session Fixation in Mozilla | cvebase