CVE-2020-26964 — Mozilla Firefox vulnerability

5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.3%

top 46.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedDec 9

Latest updateMay 24

Description

If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the privileges of the browser to read and interact with web content. The feature was implemented as a unix domain socket, protected by the Android SELinux policy; however, SELinux was not enforced for versions prior to 6.0. This was fixed by removing the Remote Debugging via USB feature from affected devices. *…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5mozilla/firefox< 83

▶NVDmozilla/firefox< 83.0

▶debiandebian/firefox

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-3x56-fp32-hw97: If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6↗2022-05-24

▶

OSV

CVE-2020-26964: If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6↗2020-12-09

▶

📋Vendor Advisories

Debian

CVE-2020-26964: firefox - If the Remote Debugging via USB feature was enabled in Firefox for Android on an...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-50: CVE-2020-26964↗

▶