CWE-922
Insecure Storage of Sensitive Information
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
CVE-2017-5249 (GCVE-0-2017-5249)
Vulnerability from cvelistv5 – Published: 2018-02-22 16:00 – Updated: 2024-08-05 14:55
VLAI?
Summary
In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
Severity ?
No CVSS data available.
CWE
- CWE-922 - (Insecure Storage of Sensitive Information)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Wink Labs Inc | Wink - Smart Home |
Affected:
6.1.0.19 and prior
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.817Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wink - Smart Home",
"vendor": "Wink Labs Inc",
"versions": [
{
"status": "affected",
"version": "6.1.0.19 and prior"
}
]
}
],
"datePublic": "2018-02-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In version 6.1.0.19 and prior of Wink Labs\u0027s Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 (Insecure Storage of Sensitive Information)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-22T15:57:01",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2017-5249",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Wink - Smart Home",
"version": {
"version_data": [
{
"version_value": "6.1.0.19 and prior"
}
]
}
}
]
},
"vendor_name": "Wink Labs Inc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In version 6.1.0.19 and prior of Wink Labs\u0027s Wink - Smart Home Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922 (Insecure Storage of Sensitive Information)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2017-5249",
"datePublished": "2018-02-22T16:00:00",
"dateReserved": "2017-01-09T00:00:00",
"dateUpdated": "2024-08-05T14:55:35.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5250 (GCVE-0-2017-5250)
Vulnerability from cvelistv5 – Published: 2018-02-22 16:00 – Updated: 2024-08-05 14:55
VLAI?
Summary
In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner.
Severity ?
No CVSS data available.
CWE
- CWE-922 - (Insecure Storage of Sensitive Information)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Insteon | Insteon for Hub |
Affected:
1.9.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T14:55:35.809Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Insteon for Hub",
"vendor": "Insteon",
"versions": [
{
"status": "affected",
"version": "1.9.7"
}
]
}
],
"datePublic": "2018-02-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In version 1.9.7 and prior of Insteon\u0027s Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922 (Insecure Storage of Sensitive Information)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-22T15:57:01",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2017-5250",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Insteon for Hub",
"version": {
"version_data": [
{
"version_value": "1.9.7"
}
]
}
}
]
},
"vendor_name": "Insteon"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In version 1.9.7 and prior of Insteon\u0027s Insteon for Hub Android app, the OAuth token used by the app to authorize user access is not stored in an encrypted and secure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922 (Insecure Storage of Sensitive Information)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2017/09/22/multiple-vulnerabilities-in-wink-and-insteon-smart-home-systems/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2017-5250",
"datePublished": "2018-02-22T16:00:00",
"dateReserved": "2017-01-09T00:00:00",
"dateUpdated": "2024-08-05T14:55:35.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3684 (GCVE-0-2019-3684)
Vulnerability from cvelistv5 – Published: 2019-05-13 14:17 – Updated: 2024-09-17 00:10
VLAI?
Summary
SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade created world-readable swap files on systems that don't have a swap already configured and don't have btrfs as filesystem
Severity ?
4 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SUSE | SUSE Manager |
Affected:
unspecified , < 4.0.7
(custom)
|
||
Credits
Malte Kraus from SUSE
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:16.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1131954"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SUSE Manager",
"vendor": "SUSE",
"versions": [
{
"lessThan": "4.0.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "Uyuni",
"vendor": "Uyuni",
"versions": [
{
"lessThan": "1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Malte Kraus from SUSE"
}
],
"datePublic": "2019-04-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade created world-readable swap files on systems that don\u0027t have a swap already configured and don\u0027t have btrfs as filesystem"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-13T14:17:09",
"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"shortName": "suse"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1131954"
}
],
"source": {
"defect": [
"https://bugzilla.suse.com/show_bug.cgi?id=1131954"
],
"discovery": "INTERNAL"
},
"title": "susemanager installer creates world-readable swap files",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"DATE_PUBLIC": "2019-04-09T00:00:00.000Z",
"ID": "CVE-2019-3684",
"STATE": "PUBLIC",
"TITLE": "susemanager installer creates world-readable swap files"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SUSE Manager",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.0.7"
}
]
}
}
]
},
"vendor_name": "SUSE"
},
{
"product": {
"product_data": [
{
"product_name": "Uyuni",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade"
}
]
}
}
]
},
"vendor_name": "Uyuni"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Malte Kraus from SUSE"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a7191a6fb46bb83e98ae4b99a5ade created world-readable swap files on systems that don\u0027t have a swap already configured and don\u0027t have btrfs as filesystem"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.suse.com/show_bug.cgi?id=1131954",
"refsource": "MISC",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1131954"
}
]
},
"source": {
"defect": [
"https://bugzilla.suse.com/show_bug.cgi?id=1131954"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb",
"assignerShortName": "suse",
"cveId": "CVE-2019-3684",
"datePublished": "2019-05-13T14:17:09.831416Z",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-09-17T00:10:47.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5625 (GCVE-0-2019-5625)
Vulnerability from cvelistv5 – Published: 2019-05-22 18:11 – Updated: 2024-08-04 20:01
VLAI?
Summary
The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.
Severity ?
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
This vulnerability was discovered by Rapid7 researcher Deral Heiland.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.038Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HALO Home",
"vendor": "Eaton",
"versions": [
{
"status": "affected",
"version": "before 1.11.0"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user\u0027s personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T18:11:12",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update their HALO Home app to v1.11.0 or higher via Google Play."
}
],
"source": {
"advisory": "R7-2019-07.1",
"discovery": "EXTERNAL"
},
"title": "Eaton Halo Home Android App Insecure Storage",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2019-5625",
"STATE": "PUBLIC",
"TITLE": "Eaton Halo Home Android App Insecure Storage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HALO Home",
"version": {
"version_data": [
{
"version_value": "before 1.11.0"
}
]
}
}
]
},
"vendor_name": "Eaton"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user\u0027s personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922: Insecure Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"name": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf",
"refsource": "MISC",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/CVE-2019-5625-Halo-home-smart-lighting-vulnerability-advisory.pdf"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update their HALO Home app to v1.11.0 or higher via Google Play."
}
],
"source": {
"advisory": "R7-2019-07.1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5625",
"datePublished": "2019-05-22T18:11:12",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-08-04T20:01:52.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5626 (GCVE-0-2019-5626)
Vulnerability from cvelistv5 – Published: 2019-05-22 18:11 – Updated: 2024-08-04 20:01
VLAI?
Summary
The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.
Severity ?
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
This vulnerability was discovered by Rapid7 researcher Deral Heiland.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:51.895Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.bluecats.bcreveal"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Reveal",
"vendor": "BlueCats",
"versions": [
{
"status": "affected",
"version": "before 3.0.19"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T18:11:32",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.bluecats.bcreveal"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update their BlueCats Reveal app to v3.0.19 or higher via Google Play."
}
],
"source": {
"advisory": "R7-2018-65.1",
"discovery": "EXTERNAL"
},
"title": "BlueCats Reveal Android App Insecure Storage",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2019-5626",
"STATE": "PUBLIC",
"TITLE": "BlueCats Reveal Android App Insecure Storage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Reveal",
"version": {
"version_data": [
{
"version_value": "before 3.0.19"
}
]
}
}
]
},
"vendor_name": "BlueCats"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Android mobile application BlueCats Reveal before 3.0.19 stores the username and password in a clear text file. This file persists until the user logs out or the session times out from non-usage (30 days of no user activity). This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922: Insecure Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"name": "https://play.google.com/store/apps/details?id=com.bluecats.bcreveal",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.bluecats.bcreveal"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update their BlueCats Reveal app to v3.0.19 or higher via Google Play."
}
],
"source": {
"advisory": "R7-2018-65.1",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5626",
"datePublished": "2019-05-22T18:11:32",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-08-04T20:01:51.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5627 (GCVE-0-2019-5627)
Vulnerability from cvelistv5 – Published: 2019-05-22 18:12 – Updated: 2024-08-04 20:01
VLAI?
Summary
The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app.
Severity ?
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Credits
This vulnerability was discovered by Rapid7 researcher Deral Heiland.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.006Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://itunes.apple.com/us/app/bc-reveal/id852676494"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Reveal",
"vendor": "BlueCats",
"versions": [
{
"status": "affected",
"version": "before 5.14"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"descriptions": [
{
"lang": "en",
"value": "The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-22T18:12:01",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://itunes.apple.com/us/app/bc-reveal/id852676494"
}
],
"solutions": [
{
"lang": "en",
"value": "Users should update their BlueCats Reveal app to v5.14 or higher via the Apple App Store."
}
],
"source": {
"advisory": "R7-2018-65.2",
"discovery": "EXTERNAL"
},
"title": "BlueCats Reveal iOS App Insecure Storage",
"x_generator": {
"engine": "Vulnogram 0.0.6"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"ID": "CVE-2019-5627",
"STATE": "PUBLIC",
"TITLE": "BlueCats Reveal iOS App Insecure Storage"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Reveal",
"version": {
"version_data": [
{
"version_value": "before 5.14"
}
]
}
}
]
},
"vendor_name": "BlueCats"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This vulnerability was discovered by Rapid7 researcher Deral Heiland."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The iOS mobile application BlueCats Reveal before 5.14 stores the username and password in the app cache as base64 encoded strings, i.e. clear text. These persist in the cache even if the user logs out. This can allow an attacker to compromise the affected BlueCats network implementation. The attacker would first need to gain physical control of the iOS device or compromise it with a malicious app."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.6"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922: Insecure Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystem-r7-2018-65-r7-2019-07-fixed/"
},
{
"name": "https://itunes.apple.com/us/app/bc-reveal/id852676494",
"refsource": "MISC",
"url": "https://itunes.apple.com/us/app/bc-reveal/id852676494"
}
]
},
"solution": [
{
"lang": "en",
"value": "Users should update their BlueCats Reveal app to v5.14 or higher via the Apple App Store."
}
],
"source": {
"advisory": "R7-2018-65.2",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5627",
"datePublished": "2019-05-22T18:12:01",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-08-04T20:01:52.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5632 (GCVE-0-2019-5632)
Vulnerability from cvelistv5 – Published: 2019-08-22 13:51 – Updated: 2024-09-16 21:57
VLAI?
Summary
An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions.
Severity ?
6.5 (Medium)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Belwith Products, LLC | Hickory Smart |
Affected:
unspecified , ≤ 01.01.43
(custom)
|
Credits
This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:51.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://play.google.com/store/apps/details?id=com.belwith.hickorysmart\u0026hl=en_US"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Hickory Smart",
"vendor": "Belwith Products, LLC",
"versions": [
{
"lessThanOrEqual": "01.01.43",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."
}
],
"datePublic": "2019-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application\u0027s database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-22T13:51:36",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://play.google.com/store/apps/details?id=com.belwith.hickorysmart\u0026hl=en_US"
}
],
"source": {
"advisory": "R7-2019-18.1",
"discovery": "INTERNAL"
},
"title": "Hickory Smart Lock Insecure Storage on Android",
"x_generator": {
"engine": "Vulnogram 0.0.7"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2019-08-01T13:05:00.000Z",
"ID": "CVE-2019-5632",
"STATE": "PUBLIC",
"TITLE": "Hickory Smart Lock Insecure Storage on Android"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Hickory Smart",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "01.01.43"
}
]
}
}
]
},
"vendor_name": "Belwith Products, LLC"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application\u0027s database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for Android, version 01.01.43 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.7"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922: Insecure Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
},
{
"name": "https://play.google.com/store/apps/details?id=com.belwith.hickorysmart\u0026hl=en_US",
"refsource": "MISC",
"url": "https://play.google.com/store/apps/details?id=com.belwith.hickorysmart\u0026hl=en_US"
}
]
},
"source": {
"advisory": "R7-2019-18.1",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5632",
"datePublished": "2019-08-22T13:51:36.900485Z",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-09-16T21:57:21.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-5633 (GCVE-0-2019-5633)
Vulnerability from cvelistv5 – Published: 2019-08-22 13:51 – Updated: 2024-09-16 16:42
VLAI?
Summary
An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application's database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions.
Severity ?
6.5 (Medium)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Belwith Products, LLC | Hickory Smart |
Affected:
unspecified , ≤ 01.01.07
(custom)
|
Credits
This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7's vulnerability disclosure policy (https://www.rapid7.com/disclosure/).
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://apps.apple.com/us/app/hickory-smart/id1189748191"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Hickory Smart",
"vendor": "Belwith Products, LLC",
"versions": [
{
"lessThanOrEqual": "01.01.07",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."
}
],
"datePublic": "2019-08-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application\u0027s database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-22T13:51:36",
"orgId": "9974b330-7714-4307-a722-5648477acda7",
"shortName": "rapid7"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://apps.apple.com/us/app/hickory-smart/id1189748191"
}
],
"source": {
"advisory": "R7-2019-18.2",
"discovery": "INTERNAL"
},
"title": "Hickory Smart Lock Insecure Storage on iOS",
"x_generator": {
"engine": "Vulnogram 0.0.7"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@rapid7.com",
"DATE_PUBLIC": "2019-08-01T13:05:00.000Z",
"ID": "CVE-2019-5633",
"STATE": "PUBLIC",
"TITLE": "Hickory Smart Lock Insecure Storage on iOS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Hickory Smart",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "01.01.07"
}
]
}
}
]
},
"vendor_name": "Belwith Products, LLC"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered and reported by Deral Heiland of Rapid7. It has been disclosed in accordance with Rapid7\u0027s vulnerability disclosure policy (https://www.rapid7.com/disclosure/)."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application\u0027s database was found to contain information that could be used to control the lock devices remotely. This issue affects Hickory Smart for iOS, version 01.01.07 and prior versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.7"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922: Insecure Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/",
"refsource": "MISC",
"url": "https://blog.rapid7.com/2019/08/01/r7-2019-18-multiple-hickory-smart-lock-vulnerabilities/"
},
{
"name": "https://apps.apple.com/us/app/hickory-smart/id1189748191",
"refsource": "MISC",
"url": "https://apps.apple.com/us/app/hickory-smart/id1189748191"
}
]
},
"source": {
"advisory": "R7-2019-18.2",
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "9974b330-7714-4307-a722-5648477acda7",
"assignerShortName": "rapid7",
"cveId": "CVE-2019-5633",
"datePublished": "2019-08-22T13:51:36.974673Z",
"dateReserved": "2019-01-07T00:00:00",
"dateUpdated": "2024-09-16T16:42:37.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-7000 (GCVE-0-2020-7000)
Vulnerability from cvelistv5 – Published: 2020-04-03 17:50 – Updated: 2024-08-04 09:18
VLAI?
Summary
VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow an unauthenticated attacker to discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface.
Severity ?
No CVSS data available.
CWE
- CWE-922 - INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| VISAM | VBASE Editor |
Affected:
11.5.0.2
|
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:18:03.107Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-084-01"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VBASE Editor",
"vendor": "VISAM",
"versions": [
{
"status": "affected",
"version": "11.5.0.2"
}
]
},
{
"product": "VBASE Web-Remote Module",
"vendor": "VISAM",
"versions": [
{
"status": "affected",
"version": "all"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow an unauthenticated attacker to discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-03T17:50:58",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-084-01"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "ics-cert@hq.dhs.gov",
"ID": "CVE-2020-7000",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VBASE Editor",
"version": {
"version_data": [
{
"version_value": "11.5.0.2"
}
]
}
},
{
"product_name": "VBASE Web-Remote Module",
"version": {
"version_data": [
{
"version_value": "all"
}
]
}
}
]
},
"vendor_name": "VISAM"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote Module may allow an unauthenticated attacker to discover the cryptographic key from the web server and gain information about the login and the encryption/decryption mechanism, which may be exploited to bypass authentication of the HTML5 HMI web interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.us-cert.gov/ics/advisories/icsa-20-084-01",
"refsource": "MISC",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-084-01"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2020-7000",
"datePublished": "2020-04-03T17:50:58",
"dateReserved": "2020-01-14T00:00:00",
"dateUpdated": "2024-08-04T09:18:03.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8482 (GCVE-0-2020-8482)
Vulnerability from cvelistv5 – Published: 2020-05-29 21:33 – Updated: 2024-08-04 10:03
VLAI?
Summary
Insecure storage of sensitive information in ABB Device Library Wizard versions 6.0.X, 6.0.3.1 and 6.0.3.2 allows unauthenticated low privilege user to read file that contains confidential data
Severity ?
7.8 (High)
CWE
- CWE-922 - Insecure Storage of Sensitive Information
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ABB | ABB Device Library Wizard |
Affected:
6 <= 6.0.3.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:45.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121681\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ABB Device Library Wizard",
"vendor": "ABB",
"versions": [
{
"status": "affected",
"version": "6 \u003c= 6.0.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insecure storage of sensitive information in ABB Device Library Wizard versions 6.0.X, 6.0.3.1 and 6.0.3.2 allows unauthenticated low privilege user to read file that contains confidential data"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-922",
"description": "CWE-922: Insecure Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-29T21:33:10",
"orgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"shortName": "ABB"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121681\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "ABB Device Library Wizard Information Disclosure Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cybersecurity@ch.abb.com",
"ID": "CVE-2020-8482",
"STATE": "PUBLIC",
"TITLE": "ABB Device Library Wizard Information Disclosure Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ABB Device Library Wizard",
"version": {
"version_data": [
{
"version_value": "6 \u003c= 6.0.3.2"
}
]
}
}
]
},
"vendor_name": "ABB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insecure storage of sensitive information in ABB Device Library Wizard versions 6.0.X, 6.0.3.1 and 6.0.3.2 allows unauthenticated low privilege user to read file that contains confidential data"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-922: Insecure Storage of Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121681\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch",
"refsource": "CONFIRM",
"url": "https://search.abb.com/library/Download.aspx?DocumentID=2PAA121681\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "2b718523-d88f-4f37-9bbd-300c20644bf9",
"assignerShortName": "ABB",
"cveId": "CVE-2020-8482",
"datePublished": "2020-05-29T21:33:10",
"dateReserved": "2020-01-30T00:00:00",
"dateUpdated": "2024-08-04T10:03:45.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.