A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens.
Existe una vulnerabilidad de TLS en la aplicación de teléfono utilizada para administrar un dispositivo conectado. Esta aplicación acepta certificados autofirmados al establecer comunicación TLS, lo que puede provocar ataques de intermediario en redes no confiables. Las comunicaciones capturadas pueden incluir credenciales de usuario y tokens de sesión confidenciales.
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
| Attack Vector | ADJACENT_NETWORK |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | NONE |
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
| Attack Vector | ADJACENT |
|---|---|
| Attack Complexity | LOW |
| Attack Requirements | NONE |
| Privileges Required | NONE |
| User Interaction | PASSIVE |
| Vulnerability Confidentiality | HIGH |
| Vulnerability Integrity | HIGH |
| Vulnerability Availability | NONE |
| Subsequent Confidentiality | NONE |
| Subsequent Integrity | NONE |
| Subsequent Availability | NONE |
Source: [email protected]
Type: Secondary
| Source | Type | Description |
|---|---|---|
| [email protected] | Secondary |
en
CWE-295
|