CVE-2021-26833

Published: Apr 6, 2021Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted.

Affected (2)

Products: Timelybills: Timelybills

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Timelybills Timelybills	Up to 1.21.115
Timelybills Timelybills	Up to 1.7.0

Related CWEs

Incomplete Cleanup

The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

References (2)

https://beefaaubee.medium.com/cve-2021-26833-cleartext-storage-in-a-file-or-on-disk-in-timelybills-1-7-0-5760dc461bd0

Source: cve@mitre.org

ExploitThird Party Advisory

https://beefaaubee.medium.com/cve-2021-26833-cleartext-storage-in-a-file-or-on-disk-in-timelybills-1-7-0-5760dc461bd0

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.