OAuth Session Fixation Vulnerability in Mozilla VPN Products
CVE-2020-15679

7.6HIGH

Key Information:

Vendor: Mozilla
Status: Mozilla Vpn iOS 1.0.7; Mozilla Vpn Windows; Mozilla Vpn Android 1.1.0
Vendor: CVE Published:; 22 December 2022

What is CVE-2020-15679?

An OAuth session fixation vulnerability exists within the login flow of Mozilla VPN, enabling malicious actors to craft a deceptive login URL. When a victim logs in through this manipulated link, the attacker can gain authenticated access, provided both parties share the same source IP. This could permit attackers to monitor session states or terminate the victim's VPN sessions, compromising user security and privacy.

Affected Version(s)

Mozilla VPN Android 1.1.0 < unspecified

Mozilla VPN iOS 1.0.7 < unspecified

Mozilla VPN Windows < 1.2.2

References

https://www.mozilla.org/security/advisories/mfsa2020-48/

https://github.com/mozilla-services/guardian-vpn-windows/...

https://github.com/mozilla-mobile/guardian-vpn-android/co...

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 22, 2022
Vulnerability Reserved
Jul 10, 2020