CVE-2019-14808

An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials).

CVSS v3 6.8 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:N

Exploitability : 4.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://packetstormsecurity.com/files/154772/RENPHO-3.0.0-Information-Disclosure.html	Third Party Advisory VDB Entry
https://apps.apple.com/us/app/renpho/id1219889310	Product
https://renpho.com/pages/contact-us	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:renpho:renpho:3.0.0:*:*:*:*:iphone_os:*:*

History

No history.

Information

Published : 2019-10-09 16:15

Updated : 2021-07-21 11:39

NVD link : CVE-2019-14808

Mitre link : CVE-2019-14808

CVE.ORG link : CVE-2019-14808

JSON object : View

Products Affected

renpho

renpho

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2019-14808", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.6}]}, "published": "2019-10-09T16:15:14.420", "references": [{"url": "http://packetstormsecurity.com/files/154772/RENPHO-3.0.0-Information-Disclosure.html", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://apps.apple.com/us/app/renpho/id1219889310", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://renpho.com/pages/contact-us", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the RENPHO application 3.0.0 for iOS. It transmits JSON data unencrypted to a server without an integrity check, if a user changes personal data in his profile tab (e.g., exposure of his birthday) or logs into his account (i.e., exposure of credentials)."}, {"lang": "es", "value": "Se detect\u00f3 un problema en la aplicaci\u00f3n RENPHO versi\u00f3n 3.0.0 para iOS. Transmite datos JSON sin cifrar hacia un servidor sin una comprobaci\u00f3n de integridad, si un usuario cambia datos personales en su pesta\u00f1a de perfil (por ejemplo, exposici\u00f3n de su cumplea\u00f1os) o inicia sesi\u00f3n en su cuenta (es decir, exposici\u00f3n de credenciales)."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:renpho:renpho:3.0.0:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "CF5A83CA-E22B-47D3-816E-8AF79EE1253B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}