Vulnerabilites related to Ossur - Mobile Logic Application
CVE-2024-53683 (GCVE-0-2024-53683)
Vulnerability from cvelistv5
Published
2025-01-17 16:44
Modified
2025-01-21 16:40
Severity ?
4.4 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
5.6 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
5.6 (Medium) - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS score ?
Summary
A valid set of credentials in a .js file and a static token for
communication were obtained from the decompiled IPA. An attacker could
use the information to disrupt normal use of the application by changing
the translation files and thus weaken the integrity of normal use.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ossur | Mobile Logic Application |
Version: 0 < 1.5.5 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-53683", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-21T16:40:31.139479Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-21T16:40:39.805Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Mobile Logic Application", vendor: "Ossur", versions: [ { lessThan: "1.5.5", status: "affected", version: "0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Bryan Riggins reported these vulnerabilities to CISA.", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "A valid set of credentials in a .js file and a static token for \ncommunication were obtained from the decompiled IPA. An attacker could \nuse the information to disrupt normal use of the application by changing\n the translation files and thus weaken the integrity of normal use.", }, ], value: "A valid set of credentials in a .js file and a static token for \ncommunication were obtained from the decompiled IPA. An attacker could \nuse the information to disrupt normal use of the application by changing\n the translation files and thus weaken the integrity of normal use.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, { cvssV4_0: { Automatable: "NOT_DEFINED", Recovery: "NOT_DEFINED", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "PRESENT", attackVector: "LOCAL", baseScore: 5.6, baseSeverity: "MEDIUM", privilegesRequired: "HIGH", providerUrgency: "NOT_DEFINED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "NOT_DEFINED", vectorString: "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "NONE", vulnIntegrityImpact: "HIGH", vulnerabilityResponseEffort: "NOT_DEFINED", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-497", description: "CWE-497", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-17T16:44:17.245Z", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { url: "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Ossur recommends users download Version 1.5.5 or later of the mobile \napplication. The latest version of the application can be obtained \nthrough the app store on respective mobile devices. No additional action\n is required by users.\n\n<br>", }, ], value: "Ossur recommends users download Version 1.5.5 or later of the mobile \napplication. The latest version of the application can be obtained \nthrough the app store on respective mobile devices. No additional action\n is required by users.", }, ], source: { advisory: "ICSMA-24-354-01", discovery: "EXTERNAL", }, title: "Ossur Mobile Logic Application Exposure of Sensitive System Information to an Unauthorized Control Sphere", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2024-53683", datePublished: "2025-01-17T16:44:17.245Z", dateReserved: "2024-12-17T14:11:48.969Z", dateUpdated: "2025-01-21T16:40:39.805Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-54681 (GCVE-0-2024-54681)
Vulnerability from cvelistv5
Published
2025-01-17 16:46
Modified
2025-01-21 16:40
Severity ?
EPSS score ?
Summary
Multiple bash files were present in the application's private directory.
Bash files can be used on their own, by an attacker that has already
full access to the mobile platform to compromise the translations for
the application.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ossur | Mobile Logic Application |
Version: 0 < 1.5.5 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-54681", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-21T16:40:49.310123Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-21T16:40:59.307Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Mobile Logic Application", vendor: "Ossur", versions: [ { lessThan: "1.5.5", status: "affected", version: "0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Bryan Riggins reported these vulnerabilities to CISA.", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Multiple bash files were present in the application's private directory.\n Bash files can be used on their own, by an attacker that has already \nfull access to the mobile platform to compromise the translations for \nthe application.", }, ], value: "Multiple bash files were present in the application's private directory.\n Bash files can be used on their own, by an attacker that has already \nfull access to the mobile platform to compromise the translations for \nthe application.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, { cvssV4_0: { Automatable: "NOT_DEFINED", Recovery: "NOT_DEFINED", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "PRESENT", attackVector: "NETWORK", baseScore: 2, baseSeverity: "LOW", privilegesRequired: "LOW", providerUrgency: "NOT_DEFINED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "ACTIVE", valueDensity: "NOT_DEFINED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", version: "4.0", vulnAvailabilityImpact: "LOW", vulnConfidentialityImpact: "NONE", vulnIntegrityImpact: "NONE", vulnerabilityResponseEffort: "NOT_DEFINED", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-77", description: "CWE-77 Command Injection", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-17T16:46:40.813Z", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { url: "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Ossur recommends users download Version 1.5.5 or later of the mobile \napplication. The latest version of the application can be obtained \nthrough the app store on respective mobile devices. No additional action\n is required by users.\n\n<br>", }, ], value: "Ossur recommends users download Version 1.5.5 or later of the mobile \napplication. The latest version of the application can be obtained \nthrough the app store on respective mobile devices. No additional action\n is required by users.", }, ], source: { advisory: "ICSMA-24-354-01", discovery: "EXTERNAL", }, title: "Ossur Mobile Logic Application Command Injection", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2024-54681", datePublished: "2025-01-17T16:46:40.813Z", dateReserved: "2024-12-17T14:11:48.995Z", dateUpdated: "2025-01-21T16:40:59.307Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-45832 (GCVE-0-2024-45832)
Vulnerability from cvelistv5
Published
2025-01-17 16:49
Modified
2025-01-17 17:59
Severity ?
4.3 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
2.0 (Low) - CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:H/SA:N
2.0 (Low) - CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:H/SA:N
EPSS score ?
Summary
Hard-coded credentials were included as part of the application binary.
These credentials served as part of the application authentication flow
and communication with the mobile application. An attacker could access
unauthorized information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ossur | Mobile Logic Application |
Version: 0 < 1.5.5 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-45832", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-17T17:49:56.727185Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-17T17:59:26.276Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Mobile Logic Application", vendor: "Ossur", versions: [ { lessThan: "1.5.5", status: "affected", version: "0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Bryan Riggins reported these vulnerabilities to CISA.", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Hard-coded credentials were included as part of the application binary. \nThese credentials served as part of the application authentication flow \nand communication with the mobile application. An attacker could access \nunauthorized information.", }, ], value: "Hard-coded credentials were included as part of the application binary. \nThese credentials served as part of the application authentication flow \nand communication with the mobile application. An attacker could access \nunauthorized information.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "PHYSICAL", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, { cvssV4_0: { Automatable: "NOT_DEFINED", Recovery: "NOT_DEFINED", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "PRESENT", attackVector: "PHYSICAL", baseScore: 2, baseSeverity: "LOW", privilegesRequired: "NONE", providerUrgency: "NOT_DEFINED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "LOW", subIntegrityImpact: "HIGH", userInteraction: "NONE", valueDensity: "NOT_DEFINED", vectorString: "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:H/SA:N", version: "4.0", vulnAvailabilityImpact: "LOW", vulnConfidentialityImpact: "LOW", vulnIntegrityImpact: "LOW", vulnerabilityResponseEffort: "NOT_DEFINED", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-798", description: "CWE-798 Use of Hard-coded Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-17T16:49:56.088Z", orgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", shortName: "icscert", }, references: [ { url: "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Ossur recommends users download Version 1.5.5 or later of the mobile \napplication. The latest version of the application can be obtained \nthrough the app store on respective mobile devices. No additional action\n is required by users.\n\n<br>", }, ], value: "Ossur recommends users download Version 1.5.5 or later of the mobile \napplication. The latest version of the application can be obtained \nthrough the app store on respective mobile devices. No additional action\n is required by users.", }, ], source: { advisory: "ICSMA-24-354-01", discovery: "EXTERNAL", }, title: "Ossur Mobile Logic Application Use of Hard-coded Credentials", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", assignerShortName: "icscert", cveId: "CVE-2024-45832", datePublished: "2025-01-17T16:49:56.088Z", dateReserved: "2024-12-17T14:11:48.984Z", dateUpdated: "2025-01-17T17:59:26.276Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }