OAuth Session Fixation Vulnerability in Mozilla VPN Products
CVE-2020-15679

7.6HIGH

Key Information:

Vendor: Mozilla
Status: Mozilla Vpn iOS 1.0.7; Mozilla Vpn Windows; Mozilla Vpn Android 1.1.0
Vendor: CVE Published:; 22 December 2022

Summary

An OAuth session fixation vulnerability exists within the login flow of Mozilla VPN, enabling malicious actors to craft a deceptive login URL. When a victim logs in through this manipulated link, the attacker can gain authenticated access, provided both parties share the same source IP. This could permit attackers to monitor session states or terminate the victim's VPN sessions, compromising user security and privacy.

Affected Version(s)

Mozilla VPN Android 1.1.0 < unspecified

Mozilla VPN iOS 1.0.7 < unspecified

Mozilla VPN Windows < 1.2.2

References

https://www.mozilla.org/security/advisories/mfsa2020-48/

https://github.com/mozilla-services/guardian-vpn-windows/...

https://github.com/mozilla-mobile/guardian-vpn-android/co...

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2022
Vulnerability Reserved
Jul 10, 2020