CVE-2020-12624

Published: May 3, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object is reused, which allows remote attackers to hijack sessions.

Affected (1)

Products: Theleague: The League

Theleague

1 product

The League

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Theleague The League	Before 2020-05-02

Related CWEs

CWE-459

Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

References (2)

https://push32.com/post/dating-app-fail/

Source: cve@mitre.org

ExploitThird Party Advisory

https://push32.com/post/dating-app-fail/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.