PT-2019-12272 · Zalora · Zalora

Zaloraa

Published

2019-04-22

Updated

2020-08-24

CVE-2019-11384

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zalora application version 6.15.1

Description The issue allows a non-root user to obtain the username and password of a valid user due to insecure storage of confidential information in plain text. This can be accessed via the /data/data/com.zalora.android/shared prefs/login data.xml endpoint.

Recommendations For Zalora application version 6.15.1, consider restricting access to the login data.xml file to minimize the risk of exploitation. As a temporary workaround, avoid using the application until a secure version is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2019-11384

Affected Products

Zalora

PT-2019-12272 · Zalora · Zalora

CVE-2019-11384

Weakness Enumeration

Related Identifiers

Affected Products

References · 3