{"api_version":"1","generated_at":"2026-04-22T21:27:06+00:00","cve":"CVE-2018-19111","urls":{"html":"https://cve.report/CVE-2018-19111","api":"https://cve.report/api/cve/CVE-2018-19111.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-19111","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-19111"},"summary":{"title":"CVE-2018-19111","description":"The Google Cardboard application 1.8 for Android and 1.2 for iOS sends potentially private cleartext information to the Unity 3D Stats web site, as demonstrated by device make, model, and OS.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-11-08 08:29:00","updated_at":"2019-10-03 00:03:00"},"problem_types":["CWE-319"],"metrics":[],"references":[{"url":"https://www.info-sec.ca/advisories/Google-Cardboard.html","name":"https://www.info-sec.ca/advisories/Google-Cardboard.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"Google Cardboard Android & iOS Applications - Unencrypted Third Party Analytics - Info-Sec.CA (CVE-2018-19111)","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-19111","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-19111","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"19111","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"google","cpe5":"cardboard","cpe6":"1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"19111","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"google","cpe5":"cardboard","cpe6":"1.8","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"19111","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"google","cpe5":"cardboard","cpe6":"1.2","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"iphone_os","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"19111","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"google","cpe5":"cardboard","cpe6":"1.8","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"android","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-19111","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Google Cardboard application 1.8 for Android and 1.2 for iOS sends potentially private cleartext information to the Unity 3D Stats web site, as demonstrated by device make, model, and OS."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://www.info-sec.ca/advisories/Google-Cardboard.html","refsource":"MISC","url":"https://www.info-sec.ca/advisories/Google-Cardboard.html"}]}},"nvd":{"publishedDate":"2018-11-08 08:29:00","lastModifiedDate":"2019-10-03 00:03:00","problem_types":["CWE-319"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:google:cardboard:1.8:*:*:*:*:android:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:google:cardboard:1.2:*:*:*:*:iphone_os:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"19111","Ordinal":"136039","Title":"CVE-2018-19111","CVE":"CVE-2018-19111","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"19111","Ordinal":"1","NoteData":"The Google Cardboard application 1.8 for Android and 1.2 for iOS sends potentially private cleartext information to the Unity 3D Stats web site, as demonstrated by device make, model, and OS.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"19111","Ordinal":"2","NoteData":"2018-11-08","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"19111","Ordinal":"3","NoteData":"2018-11-08","Type":"Other","Title":"Modified"}]}}}