Vulnerability Description
If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the privileges of the browser to read and interact with web content. The feature was implemented as a unix domain socket, protected by the Android SELinux policy; however, SELinux was not enforced for versions prior to 6.0. This was fixed by removing the Remote Debugging via USB feature from affected devices. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 83.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mozilla | Firefox | < 83.0 |
| Android | < 6.0 |
References
- https://bugzilla.mozilla.org/show_bug.cgi?id=1658865Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2020-50/Vendor Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=1658865Issue TrackingPermissions RequiredVendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2020-50/Vendor Advisory
FAQ
What is CVE-2020-26964?
CVE-2020-26964 is a vulnerability with a CVSS score of 6.8 (MEDIUM). If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the privileg...
How severe is CVE-2020-26964?
CVE-2020-26964 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26964?
Check the references section above for vendor advisories and patch information. Affected products include: Mozilla Firefox, Google Android.