CVE-2020-15679

Description

An OAuth session fixation vulnerability existed in the VPN login flow, where an attacker could craft a custom login URL, convince a VPN user to login via that URL, and obtain authenticated access as that user. This issue is limited to cases where attacker and victim are sharing the same source IP and could allow the ability to view session states and disconnect VPN sessions. This vulnerability affects Mozilla VPN iOS 1.0.7 < (929), Mozilla VPN Windows < 1.2.2, and Mozilla VPN Android 1.1.0 < (1360).

References

Link	Tags
https://www.mozilla.org/security/advisories/mfsa2020-48/	vendor advisory
https://github.com/mozilla-services/guardian-vpn-windows/commit/ac6f562973a83f6758cd7ab7aa313e863047d41b	third party advisory patch
https://github.com/mozilla-mobile/guardian-vpn-android/commit/981c840276ef3aee98cf5d42993d484ee99b28d9	third party advisory patch
https://github.com/mozilla-mobile/guardian-vpn-ios/commit/4309f5c9bd2c15cdfd39ac173665fad3f2598b54	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2020-15679?: CVE-2020-15679 has been scored as a high severity vulnerability.
How to fix CVE-2020-15679?: To fix CVE-2020-15679, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-15679 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2020-15679 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-15679?: CVE-2020-15679 affects Mozilla Mozilla VPN iOS 1.0.7, Mozilla Mozilla VPN Windows, Mozilla Mozilla VPN Android 1.1.0.

Description

Category

CWE-384 – Session Fixation

References

Frequently Asked Questions