CVE-2020-26975
Last modified
CVE-2020-26975 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. EPSS estimates a 0.86% chance of exploitation in the next 30 days.
Description
When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 84.0 |
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1661071Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2020-54/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1661071Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2020-54/Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-26975?
How severe is CVE-2020-26975?
How do I fix CVE-2020-26975?
Are you affected by CVE-2020-26975?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST