Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichmentWordfenceVULNRICHMENT:CVE-2024-7628
HistoryAug 15, 2024 - 2:30 a.m.

CVE-2024-7628 MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.2 - Authentication Bypass to Account Takeover

2024-08-1502:30:37
CWE-288
Wordfence
github.com
9
mstore api
wordpress
authentication bypass
version 4.15.2
loose comparison
verify_id_token
unauthenticated attackers
administrator
firebase configuration
account takeover
native android
native ios
cloud plugin
vulnerability

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

JSON

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the ‘verify_id_token’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires firebase to be configured on the website and the user to have set up firebase for their account.

CNA Affected

[
  {
    "vendor": "inspireui",
    "product": "MStore API – Create Native Android & iOS Apps On The Cloud",
    "versions": [
      {
        "status": "affected",
        "version": "*",
        "versionType": "semver",
        "lessThanOrEqual": "4.15.2"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:inspireui:mstore_api_create_native_android_and_ios_apps_on_the_cloud:*:*:*:*:*:*:*:*"
    ],
    "vendor": "inspireui",
    "product": "mstore_api_create_native_android_and_ios_apps_on_the_cloud",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "4.15.2"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Related

cve 1
nvd 1
cvelist 1
wordfence 1
cve
cve
CVE-2024-7628
2024-08-15 03:15:05
nvd
nvd
CVE-2024-7628
2024-08-15 03:15:05
cvelist
cvelist
CVE-2024-7628 MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.2 - Authentication Bypass to Account Takeover
2024-08-15 02:30:37
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 12, 2024 to August 18, 2024)
2024-08-22 15:46:20

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

JSON
Related for VULNRICHMENT:CVE-2024-7628
cve1nvd1cvelist1wordfence1