Severity

High

Analysis Summary

CVE-2020-15679

Mozilla VPN for Windows, Android and iOS could allow a remote attacker to hijack a user’s session, caused by an OAuth session fixation vulnerability in the VPN login flow. By persuading a VPN user to login using a specially crafted login URL, an attacker could exploit this vulnerability to view session states and disconnect VPN sessions.

Impact

Session hijacking

Affected Vendors

Mozilla

Affected Products

• Mozilla VPN Android 1.0.9
• Mozilla VPN iOS 1.0.6
• Mozilla VPN Windows 1.2.1

Remediation

Refer to Mozilla Foundation Security Advisory 2020-48 for patch, upgrade or suggested workaround information.

https://www.mozilla.org/en-US/security/advisories/mfsa2020-48/