CVE-2020-6824Session Fixation in Mozilla Firefox

CWE-384Session Fixation9 documents8 sources
Severity
2.8LOWNVD
OSV7.5
EPSS
0.1%
top 67.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla FirefoxDebian Firefox
Timeline
PublishedApr 24
Latest updateMay 24

Description

Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 1.3 | Impact: 1.4

Affected Packages5 packages

debiandebian/firefox< firefox 75.0-1 (sid)
CVEListV5mozilla/firefoxunspecified75
NVDmozilla/firefox< 75.0
Ubuntumozilla/firefox< 75.0+build3-0ubuntu0.16.04.1+2
mozillamozilla/firefox

🔴Vulnerability Details

3
GHSA
GHSA-887x-j4cf-3pqh: Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open2022-05-24
OSV
CVE-2020-6824: Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open2020-04-07
OSV
firefox vulnerabilities2020-04-07

📋Vendor Advisories

4
Red Hat
Mozilla: Generated passwords may be identical on the same site between separate private browsing sessions2020-04-10
Ubuntu
Firefox vulnerabilities2020-04-07
Debian
CVE-2020-6824: firefox - Initially, a user opens a Private Browsing Window and generates a password for a...2020
Mozilla
Mozilla Foundation Security Advisory 2020-12: CVE-2020-6824

💬Community

1
Bugzilla
CVE-2020-6824 Mozilla: Generated passwords may be identical on the same site between separate private browsing sessions2020-04-07