Code injection

2018-11-1515:29:00

PRIOn knowledge base

www.prio-n.com

5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.4%

JSON

Multiple +Message Apps (Softbank +Message App for Android prior to version 10.1.7, Softbank +Message App for iOS prior to version 1.1.23, NTT DOCOMO +Message App for Android prior to version 42.40.2800, NTT DOCOMO +Message App for iOS prior to version 1.1.23, KDDI +Message App for Android prior to version 1.0.6, and KDDI +Message App for iOS prior to version 1.1.23) do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CPENameOperatorVersion
\\+_messagelt1.0.6
\\+_messagelt1.1.23
\\+_messagelt1.1.23
\\+_messagelt42.40.2800
\\+_messagelt10.1.7
\\+_messagelt1.1.23

Name	Operator	Version
\\+_message	lt	1.0.6
\\+_message	lt	1.1.23
\\+_message	lt	1.1.23
\\+_message	lt	42.40.2800
\\+_message	lt	10.1.7
\\+_message	lt	1.1.23

References

jvn.jp/en/jp/JVN37288228/index.html

www.au.com/information/notice_mobile/service/2018-002/

www.nttdocomo.co.jp/info/notice/page/180927_00.html

www.softbank.jp/mobile/info/personal/news/service/20180927a/