Lucene search

MitreCVE-2023-36620

HistoryNov 03, 2023 - 4:15 a.m.

CVE-2023-36620

2023-11-0304:15:21

CWE-284

mitre

web.nvd.nist.gov

boomerang parental control

android

cve-2023-36620

security issue

api token

backup vulnerability

CVSS3

4.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

20.7%

JSON

An issue was discovered in the Boomerang Parental Control application before 13.83 for Android. The app is missing the android:allowBackup=“false” attribute in the manifest. This allows the user to backup the internal memory of the app to a PC. This gives the user access to the API token that is used to authenticate requests to the API.

Affected configurations

Nvd

Node

nationaledtechboomerangRange<13.83android

VendorProductVersionCPE
nationaledtechboomerang*cpe:2.3:a:nationaledtech:boomerang:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
nationaledtech	boomerang	*	cpe:2.3:a:nationaledtech:boomerang::::::android::*

References

sec-consult.com/blog/detail/the-hidden-costs-of-parental-control-apps/

seclists.org/fulldisclosure/2023/Jul/12

useboomerang.com/

CVSS3

4.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

20.7%

JSON

Related for CVE-2023-36620