Vulnerability Details : CVE-2022-0732
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.
Vulnerability category: BypassGain privilege
Products affected by CVE-2022-0732
- cpe:2.3:a:1byte:copy9:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:exactspy:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:fonetracker:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:guestspy:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:ispyoo:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:mxspy:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:secondclone:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:the_truth_spy:-:*:*:*:*:*:*:*
- cpe:2.3:a:1byte:thespyapp:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-0732
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-0732
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-0732
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: cret@cert.org (Secondary)
-
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.Assigned by: nvd@nist.gov (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-0732
-
https://www.kb.cert.org/vuls/id/229438
VU#229438 - Mobile device monitoring services do not authenticate API requestsThird Party Advisory;US Government Resource
-
https://kb.cert.org/vuls/id/229438
VU#229438 - Mobile device monitoring services do not authenticate API requestsThird Party Advisory;US Government Resource
-
https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/
Behind the stalkerware network spilling the private phone data of hundreds of thousands – TechCrunchPress/Media Coverage;Third Party Advisory
-
https://cwe.mitre.org/data/definitions/284.html
CWE - CWE-284: Improper Access Control (4.6)Not Applicable
Jump to