PT-2020-6751 · Mozilla+1 · Firefox For Android+1

Pedro Oliveira

Published

2020-12-15

Updated

2024-12-12

CVE-2020-26975

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions Firefox for Android versions prior to 84

Description The issue is related to insufficient access control in Firefox for Android, allowing a remote attacker to bypass existing security restrictions. When a malicious application installed on the user's device broadcasts an Intent to Firefox for Android, arbitrary headers could be specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers.

Recommendations For Firefox for Android versions prior to 84, update to version 84 or later to resolve the issue. As a temporary workaround, consider restricting the use of Intent broadcasts to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264

Related Identifiers

ALT-PU-2020-3529

ALT-PU-2021-3368

BDU:2022-05940

CVE-2020-26975

OPENSUSE-SU-2024:10600-1

OPENSUSE-SU-2024:14572-1

Affected Products

Alt Linux

Firefox For Android

PT-2020-6751 · Mozilla+1 · Firefox For Android+1

CVE-2020-26975

Weakness Enumeration

Related Identifiers

Affected Products

References · 1871