Mozilla Firefox up to 25.x on iOS Native-to-JS Bridging information disclosure
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.1 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Mozilla Firefox up to 25.x on iOS. It has been rated as problematic. This vulnerability affects unknown code of the component Native-to-JS Bridging. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2020-12404. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.
Details
A vulnerability was found in Mozilla Firefox up to 25.x on iOS (Web Browser). It has been rated as problematic. This issue affects an unknown function of the component Native-to-JS Bridging. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:
For native-to-JS bridging the app requires a unique token to be passed that ensures non-app code can't call the bridging functions. That token could leak when used for downloading files. This vulnerability affects Firefox for iOS < 26.
The weakness was disclosed 07/09/2020 as Bug 1631739 as not defined bug report (Bugzilla). It is possible to read the advisory at bugzilla.mozilla.org. The identification of this vulnerability is CVE-2020-12404 since 04/28/2020. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.
Upgrading to version 26.0 eliminates this vulnerability.
The entries VDB-157791, VDB-157790 and VDB-157786 are pretty similar. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.mozilla.org/
- Product: https://www.mozilla.org/en-US/firefox/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.3VulDB Meta Temp Score: 4.2
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 4.3
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Firefox 26.0
Timeline
04/28/2020 🔍07/09/2020 🔍
07/10/2020 🔍
07/10/2020 🔍
Sources
Vendor: mozilla.orgProduct: mozilla.org
Advisory: Bug 1631739
Status: Not defined
CVE: CVE-2020-12404 (🔍)
GCVE (CVE): GCVE-0-2020-12404
GCVE (VulDB): GCVE-100-157787
See also: 🔍
Entry
Created: 07/10/2020 08:13Updated: 07/10/2020 08:18
Changes: 07/10/2020 08:13 (44), 07/10/2020 08:18 (18)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.