CVE-2019-5625
Summary
| CVE | CVE-2019-5625 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-05-22 18:29:00 UTC |
| Updated | 2020-10-16 15:36:00 UTC |
| Description | The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app. |
Risk And Classification
Problem Types: CWE-522
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Multiple Vulnerabilities Disclosed for Eaton and BlueCats IoT Devices | MISC | blog.rapid7.com | Exploit, Third Party Advisory |
| www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/securit... | MISC | www.eaton.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This vulnerability was discovered by Rapid7 researcher Deral Heiland.
There are currently no legacy QID mappings associated with this CVE.