19 matches found
EUVD-2017-2769
Malware in sbrugna...
EUVD-2017-2768
Malware in sbrugna...
heinekingmedia StashCat Weak Password Vulnerability
heinekingmedia StashCat for Android, Web and Desktop are all products of the German company heinekingmedia. heinekingmedia StashCat for Android is an Android-based enterprise communication software. heinekingmedia StashCat for Web is the Web-based version and heinekingmedia StashCat for Desktop i...
heinekingmedia StashCat Password Attack Vulnerability
heinekingmedia StashCat for Android is an Android-based enterprise communication software from the German company heinekingmedia. heinekingmedia StashCat suffers from a password attack vulnerability that stems from user passwords being hashed directly with SHA-512. By exploiting this vulnerabilit...
heinekingmedia StashCat for Android, Web and Desktop Man-in-the-Middle Attack Vulnerability
heinekingmedia StashCat for Android, Web and Desktop are all products of the German company heinekingmedia. heinekingmedia StashCat for Android is an Android-based enterprise communication software. heinekingmedia StashCat for Web is the web-based version and heinekingmedia StashCat for Desktop i...
Design/Logic Flaw
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The login credentials are written into a log file on the device. Hence, an attacker with access to the logs can read them...
CVE-2017-11133
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. To encrypt messages, AES in CBC mode is used with a pseudo-random secret. This secret and the IV are generated with math.random in previous versions and with...
CVE-2017-11134
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android. The login credentials are written into a log file on the device. Hence, an attacker with access to the logs can read them...
Authentication flaw
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. For authentication, the user password is hashed directly with SHA-512 without a salt or another key-derivation mechanism to enable a secure secret for...
CVE-2017-11130
This CVE affects heinekingmedia StashCat: Android up to 1.7.5, Web up to 0.0.80w, Desktop up to 0.0.86. Root cause: the protocol only aims to protect confidentiality; there are no integrity or authenticity checks in the entire protocol. Consequence: man-in-the-middle attackers can perform replay ...
CVE-2017-11131
The CVE-2017-11131 issue affects heinekingmedia StashCat across Android (1.7.5), Web (0.0.80w), and Desktop (0.0.86). The root cause is hashing user passwords with SHA-512 without a salt or key-derivation function, and using only the first 32 bytes of the hash. This enables dictionary and rainbow...
CVE-2017-11136
The CVE-2017-11136 issue affects heinekingmedia StashCat for Android, Web and Desktop (versions up to 1.7.5, 0.0.80w, 0.0.86 respectively). The design flaw: the private RSA key used for exchanging a secret for symmetric message encryption is transmitted to the backend in addition to being stored ...
CVE-2017-11133
CVE-2017-11133 affects heinekingmedia StashCat across Android (1.7.5), Web (0.0.80w), and Desktop (0.0.86). The issue is in the message encryption: AES in CBC mode is seeded with a pseudo‑random secret and IV generated by math.random(), with newer builds using CryptoJS.lib.WordArray.random() (whi...
CVE-2017-11132
The CVE-2017-11132 issue affects heinekingmedia StashCat for Android (pre-1.5.18). The root cause is missing certificate pinning, allowing an attacker to issue a certificate for the backend and have the application trust it without notice. Public references in the provided documents describe the ...
CVE-2017-11134
The CVE-2017-11134 issue affects heinekingmedia StashCat for Android (up to version 1.7.5). The root cause is that login credentials are written to a log file on the device, allowing an attacker with access to the logs to read them. The connected sources corroborate this information across multip...
CVE-2017-11129
Affected software: heinekingmedia StashCat for Android (versions up to 1.7.5).Root cause: keystore protected by a hard-coded password, enabling access to keystore contents by anyone with keystore access (e.g., private keys).Impact: potential unauthorized reading of sensitive data stored in the ke...
CVE-2017-11135
CVE-2017-11135 affects heinekingmedia StashCat on Android (up to v1.7.5), Web (up to v0.0.80w) and Desktop (up to v0.0.86). Root cause: the logout mechanism does not check authorization, allowing an attacker who knows the device ID to cause a denial of service. The vulnerability stems from client...
CVE-2017-11130
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. The product's protocol only tries to ensure confidentiality. In the whole protocol, no integrity or authenticity checks are done. Therefore man-in-the-middle...
CVE-2017-11136
An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android, through 0.0.80w for Web, and through 0.0.86 for Desktop. It uses RSA to exchange a secret for symmetric encryption of messages. However, the private RSA key is not only stored on the client but transmitted to the backen...