CVE-2020-11614

Published: Jun 11, 2020Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace executable files with malicious versions, which the operating system then executes under the context of the user running Hero Designer.

Affected (1)

Products: Mids' Reborn Hero Designer Project: Mids' Reborn Hero Designer

Mids' Reborn Hero Designer Project

1 product

Mids' Reborn Hero Designer

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mids' Reborn Hero Designer Project Mids' Reborn Hero Designer	Version 2.6.0.7

Related CWEs

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References (4)

https://github.com/Crytilis/mids-reborn-hero-designer/releases

Source: cve@mitre.org

Release NotesThird Party Advisory

https://www.doyler.net/security-not-included/mids-reborn-vulnerabilities

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/Crytilis/mids-reborn-hero-designer/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://www.doyler.net/security-not-included/mids-reborn-vulnerabilities

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.