PT-2021-11144 · Unknown · Oclean Mobile Application

C3R34Lk1Ll3R

Published

2021-02-11

Updated

2021-07-21

CVE-2020-25493

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: Oclean Mobile Application version 2.1.2

Description: The Oclean Mobile Application communicates with an external website using HTTP, making it possible to eavesdrop on the network traffic. The content of the HTTP payload is encrypted using XOR with a hardcoded key, which allows for the possibility to decode the traffic.

Recommendations: For Oclean Mobile Application version 2.1.2, consider disabling the HTTP communication with the external website until a secure communication protocol, such as HTTPS, is implemented. As a temporary workaround, restrict access to sensitive information transmitted over the network to minimize the risk of exploitation.

Exploit

Fix

Using Hardcoded Credentials

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798CWE-327

Related Identifiers

CVE-2020-25493

Affected Products

Oclean Mobile Application

PT-2021-11144 · Unknown · Oclean Mobile Application

CVE-2020-25493

Weakness Enumeration

Related Identifiers

Affected Products

References · 7