CVE-2020-15679

Name of the Vulnerable Software and Affected Versions Mozilla VPN iOS versions 1.0.7 and earlier Mozilla VPN Windows versions prior to 1.2.2 Mozilla VPN Android versions 1.1.0 and earlier

Description An issue existed in the VPN login flow, where an attacker could craft a custom login URL and convince a VPN user to login via that URL, obtaining authenticated access as that user. This issue is limited to cases where the attacker and victim share the same source IP and could allow the ability to view session states and disconnect VPN sessions.

Recommendations For Mozilla VPN iOS versions 1.0.7 and earlier, update to a version later than 1.0.7. For Mozilla VPN Windows versions prior to 1.2.2, update to version 1.2.2 or later. For Mozilla VPN Android versions 1.1.0 and earlier, update to a version later than 1.1.0.