OAuth Session Fixation Vulnerability in Mozilla VPN Products
CVE-2020-15679

7.6HIGH

Key Information:

Vendor: Mozilla
Status: Mozilla Vpn iOS 1.0.7; Mozilla Vpn Windows; Mozilla Vpn Android 1.1.0
Vendor: CVE Published:; 22 December 2022

What is CVE-2020-15679?

An OAuth session fixation vulnerability exists within the login flow of Mozilla VPN, enabling malicious actors to craft a deceptive login URL. When a victim logs in through this manipulated link, the attacker can gain authenticated access, provided both parties share the same source IP. This could permit attackers to monitor session states or terminate the victim's VPN sessions, compromising user security and privacy.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Mozilla VPN Android 1.1.0 < unspecified

Mozilla VPN iOS 1.0.7 < unspecified

Mozilla VPN Windows < 1.2.2

References

https://www.mozilla.org/security/advisories/mfsa2020-48/

https://github.com/mozilla-services/guardian-vpn-windows/...

https://github.com/mozilla-mobile/guardian-vpn-android/co...

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 22, 2022
Vulnerability Reserved
Jul 10, 2020

JSON

Mozilla