CVE-2020-26975 — Mozilla Firefox vulnerability

4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 40.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Debian Firefox

Timeline

PublishedJan 7

Latest updateMay 24

Description

When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5mozilla/firefoxunspecified — 84

▶NVDmozilla/firefox< 84.0

▶debiandebian/firefox

▶mozillamozilla/firefox

🔴Vulnerability Details

GHSA

GHSA-cmfr-9hrr-hpg4: When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, l↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2020-26975: firefox - When a malicious application installed on the user's device broadcast an Intent ...↗2020

▶

Mozilla

Mozilla Foundation Security Advisory 2020-54: CVE-2020-26975↗

▶