CVE-2020-26954 - When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests

CVE-2020-26954

Summary

When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain fullscreen access for UI spoofing and could also lead to cross-origin attacks on targeted websites. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83.

References

Vulnerable Configurations

cpe:2.3:a:mozilla:firefox:80.0:*:*:*:*:android:*:*
cpe:2.3:a:mozilla:firefox:80.0:*:*:*:*:android:*:*

CVSS

Base:	4.3 (as of 10-12-2020 - 16:49)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:P/A:N

refmap via4

confirm	https://www.mozilla.org/security/advisories/mfsa2020-50/
misc	https://bugzilla.mozilla.org/show_bug.cgi?id=1657026

Last major update

10-12-2020 - 16:49

Published

09-12-2020 - 01:15

Last modified

10-12-2020 - 16:49