Vulnerability Details : CVE-2020-11614
Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace executable files with malicious versions, which the operating system then executes under the context of the user running Hero Designer.
Exploit prediction scoring system (EPSS) score for CVE-2020-11614
Probability of exploitation activity in the next 30 days: 0.18%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 54 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-11614
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2020-11614
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
-
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11614
-
https://github.com/Crytilis/mids-reborn-hero-designer/releases
Releases · Crytilis/mids-reborn-hero-designer · GitHubRelease Notes;Third Party Advisory
-
https://www.doyler.net/security-not-included/mids-reborn-vulnerabilities
Mids Reborn Vulnerabilities - CVE-2020-11613 & CVE-2020-11614 | doyler.netExploit;Third Party Advisory
Products affected by CVE-2020-11614
- cpe:2.3:a:mids\'_reborn_hero_designer_project:mids\'_reborn_hero_designer:2.6.0.7:*:*:*:*:*:*:*