When a user wants to log into Mozilla VPN, the VPN client will make a request to https://
vpn.mozilla.org/api/v2/vpn/login/windows to obtain an authorization URL. The endpoint
takes a port parameter that will be reflected in a !undefined! element after the user signs into
the web page. It was found that the port parameter can be of arbitrary value. Further, it is
possible to inject the @ sign, so that the request will go to an arbitrary host instead of
localhost. Theoretically, an attacker can give a crafted URL to a victim and once the
victim uses it to log in, their authorization code will be leaked to the attacker’s website.
However, the CSP in place contains a strict img-src directive which prevents
exploitation.

┆Issue is synchronized with this Jira Task