CVE-2017-11706

{"id": "CVE-2017-11706", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2017-07-28T05:29:00.777", "references": [{"url": "https://hackerone.com/reports/166712", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://wwws.nightwatchcybersecurity.com/2017/07/27/boozt-fashion-android-app-didnt-use-ssl-for-login-cve-2017-11706/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "The Boozt Fashion application before 2.3.4 for Android allows remote attackers to read login credentials by sniffing the network and leveraging the lack of SSL. NOTE: the vendor response, before the application was changed to enable SSL logins, was \"At the moment that is an accepted risk. We only have https on the checkout part of the site.\""}, {"lang": "es", "value": "La aplicaci\u00f3n Boozt Fashion anterior a la versi\u00f3n 2.3.4 para Android, permite a los atacantes remotos leer las credenciales de inicio de sesi\u00f3n mediante el espiado de la red y aprovechando la ausencia de certificados SSL. NOTA: la respuesta del proveedor, antes que la aplicaci\u00f3n fuera cambiada para habilitar los inicios de sesi\u00f3n SSL, fue \"At the moment that is an accepted risk. We only have https on the checkout part of the site.\""}], "lastModified": "2017-08-15T17:43:35.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:boozt:boozt:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "8F6A71A6-5F70-4E80-BCA3-67C128FA8FDC", "versionEndIncluding": "2.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}