SB2020121532 - Multiple vulnerabilities in Mozilla Firefox for Android

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020121532

SB2020121532 - Multiple vulnerabilities in Mozilla Firefox for Android

Published: December 15, 2020

Security Bulletin ID SB2020121532
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Spoofing attack (CVE-ID: CVE-2020-26977)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to incorrect processing of user-supplied data. By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-26975)

The vulnerability allows a local application to bypass implemented security restrictions.

The vulnerability exists due to application does not properly impose security restrictions. When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers


Remediation

Install update from vendor's website.

References