CVE-2017-11135 Information

Description

An issue was discovered in heinekingmedia StashCat through 1.7.5 for Android through 0.0.80w for Web and through 0.0.86 for Desktop. The logout mechanism does not check for authorization. Therefore an attacker only needs to know the device ID. This causes a denial of service. This might be interpreted as a vulnerability in customer-controlled software in the sense that the StashCat client side has no secure way to signal that it is ending a session and that data should be deleted.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

http://seclists.org/fulldisclosure/2017/Jul/90

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5