CVE-2020-26975
First published: Tue Dec 15 2020(Updated: )
When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84.
Credit: security@mozilla.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Firefox | <84 | 84 |
| Firefox | <84.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2020-26975?
CVE-2020-26975 has been classified as a moderate severity vulnerability.
How do I fix CVE-2020-26975?
To fix CVE-2020-26975, update Firefox for Android to version 84 or later.
Who is affected by CVE-2020-26975?
CVE-2020-26975 affects Firefox for Android versions prior to 84.
What types of attacks can occur due to CVE-2020-26975?
CVE-2020-26975 can lead to attacks such as ambient authority abuse or session fixation.
What was the solution implemented for CVE-2020-26975?
The solution for CVE-2020-26975 involved allowing only certain safe-listed headers in intents.
- agent/type
- agent/first-publish-date
- agent/references
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/mozilla-advisory
- agent/software-canonical-lookup-request
- source/Mozilla
- agent/software-canonical-lookup
- collector/nvd-index
- vendor/mozilla
- canonical/firefox