PT-2019-15101 · Orbitz · Orbitz

Jaeho Lee

Published

2019-10-15

Updated

2019-10-18

CVE-2019-17355

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Orbitz application version 19.31.1

Description The issue concerns the storage of sensitive information during the authentication process in the Orbitz application. Specifically, the username and password are stored in the log, which may be accessible to attackers via logcat, potentially allowing them to obtain these credentials.

Recommendations For Orbitz application version 19.31.1, consider restricting access to logcat or removing sensitive information from the logs to minimize the risk of exploitation. As a temporary workaround, avoid using the application for sensitive transactions until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2019-17355

Affected Products

Orbitz

PT-2019-15101 · Orbitz · Orbitz

CVE-2019-17355

Weakness Enumeration

Related Identifiers

Affected Products

References · 3