Skip to main content

Session Fixation

CVE-2020-6824

Severity Low
Score 2.8/10

Summary

Initially, a user opens a Private Browsing Window and generates a password for a site, then closes the Private Browsing Window but leaves Firefox open. Subsequently, if the user had opened a new Private Browsing Window, revisited the same site, and generated a new password - the generated passwords would have been identical, rather than independent. This vulnerability affects Firefox < 75.

  • LOW
  • LOCAL
  • NONE
  • UNCHANGED
  • REQUIRED
  • LOW
  • LOW
  • NONE

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

Advisory Timeline

  • Published