Login Sign Up

CVE-2020-6828

7.5 HIGH

📋 TL;DR

This vulnerability allows a malicious Android app to craft an Intent that Firefox for Android processes, potentially overwriting files in the user's profile directory. By controlling arbitrary preferences through a crafted user.js file, an attacker could achieve effects equivalent to arbitrary code execution. Only Firefox for Android users running affected versions are impacted.

💻 Affected Systems

Products:
  • Firefox for Android
Versions: Firefox ESR versions < 68.7
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Firefox for Android. Desktop Firefox and other browsers are unaffected.

📦 What is this software?

Firefox Esr by Mozilla

View all CVEs affecting Firefox Esr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Firefox for Android through arbitrary code execution, allowing data theft, credential harvesting, and further device compromise.

🟠

Likely Case

Malicious preference injection leading to browser hijacking, data exfiltration, or installation of additional malware.

🟢

If Mitigated

No impact if Firefox is updated or if malicious apps are prevented from installing.

🌐 Internet-Facing: LOW - This requires a malicious Android app to be installed, not direct internet exploitation.
🏢 Internal Only: MEDIUM - Internal Android devices with vulnerable Firefox versions could be compromised via malicious apps.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires a malicious Android app to be installed and to craft a specific Intent targeting Firefox.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox ESR 68.7 or later

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2020-13/

Restart Required: Yes

Instructions:

1. Open Firefox for Android. 2. Go to Settings > About Firefox. 3. Allow automatic update or manually update to version 68.7 or higher from Google Play Store.

🔧 Temporary Workarounds

Disable Firefox for Android

android

Temporarily disable or uninstall Firefox for Android until patched.

Settings > Apps > Firefox > Disable/Uninstall

Restrict app installations

android

Prevent installation of unknown Android apps that could exploit this vulnerability.

Settings > Security > Unknown sources (disable)

🧯 If You Can't Patch

  • Use alternative browsers on Android devices.
  • Implement mobile device management (MDM) to block malicious app installations.

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in Settings > About Firefox. If version is less than 68.7, it is vulnerable.

Check Version:

Not applicable for Android GUI; use Settings > About Firefox.

Verify Fix Applied:

Confirm Firefox version is 68.7 or higher in Settings > About Firefox.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Intent activities targeting Firefox from other apps in Android logs.

Network Indicators:

  • None specific to this vulnerability.

SIEM Query:

Not typically applicable for mobile app vulnerabilities.

📊 Metadata

CVE ID: CVE-2020-6828
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-22
Published: April 24, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6828, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)