PT-2019-12272 · Zalora · Zalora
Zaloraa
·
Publicado
2019-04-22
·
Atualizado
2020-08-24
·
CVE-2019-11384
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zalora application version 6.15.1
Description
The issue allows a non-root user to obtain the username and password of a valid user due to insecure storage of confidential information in plain text. This can be accessed via the /data/data/com.zalora.android/shared prefs/login data.xml endpoint.
Recommendations
For Zalora application version 6.15.1, consider restricting access to the login data.xml file to minimize the risk of exploitation. As a temporary workaround, avoid using the application until a secure version is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Cleartext Storage of Sensitive Information
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Zalora