CVE-2020-26964 - If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version pri

CVE-2020-26964

Summary

If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the privileges of the browser to read and interact with web content. The feature was implemented as a unix domain socket, protected by the Android SELinux policy; however, SELinux was not enforced for versions prior to 6.0. This was fixed by removing the Remote Debugging via USB feature from affected devices. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83.

References

Vulnerable Configurations

cpe:2.3:a:mozilla:firefox:80.0:*:*:*:*:android:*:*
cpe:2.3:a:mozilla:firefox:80.0:*:*:*:*:android:*:*
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:*:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 10-12-2020 - 20:11)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:H/Au:N/C:P/I:P/A:N

refmap via4

confirm	https://www.mozilla.org/security/advisories/mfsa2020-50/
misc	https://bugzilla.mozilla.org/show_bug.cgi?id=1658865

Last major update

10-12-2020 - 20:11

Published

09-12-2020 - 01:15

Last modified

10-12-2020 - 20:11