---

CVE-2020-26975 - log back

CVE-2020-26975 edited at 15 Dec 2020 17:02:45

Description

- When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. + When a malicious application installed on the user's device broadcast an Intent to Firefox for Android before 84.0, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers.

CVE-2020-26975 edited at 15 Dec 2020 16:58:12
Severity	- Unknown + Medium
Remote	- Unknown + Local
Type	- Unknown + Insufficient validation
Description	+ When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers.
References	+ https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/#CVE-2020-26975 + https://bugzilla.mozilla.org/show_bug.cgi?id=1661071
Notes

CVE-2020-26975 created at 15 Dec 2020 16:48:51