Vulnerability Details : CVE-2017-11706
The Boozt Fashion application before 2.3.4 for Android allows remote attackers to read login credentials by sniffing the network and leveraging the lack of SSL. NOTE: the vendor response, before the application was changed to enable SSL logins, was "At the moment that is an accepted risk. We only have https on the checkout part of the site."
Vulnerability category: Information leak
Products affected by CVE-2017-11706
- cpe:2.3:a:boozt:boozt:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-11706
0.38%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-11706
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-11706
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-11706
-
https://hackerone.com/reports/166712
#166712 Android app does not use SSL for loginThird Party Advisory
-
https://wwws.nightwatchcybersecurity.com/2017/07/27/boozt-fashion-android-app-didnt-use-ssl-for-login-cve-2017-11706/
Boozt Fashion Android App Didn’t Use SSL for Login [CVE-2017-11706] | Nightwatch CybersecurityThird Party Advisory
Jump to