CVE-2018-17402 Information

Feb 14, 2021 cve

Description

LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks DISPUTED LICENSE README.md cvefilelist cvelist nvdcve nvdpages.sh scripts test-CVE-2017-1882.markdown test-CVE-2017-18822.markdown tmpvendorlinks The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number expiration date and CVV number. NOTE: the vendor says that to exploit this the user has to explicitly install a malicious app and provide accessibility permission to the malicious app that the Android platform provides fair warnings to the users before turning on accessibility for any application and that it believes it is similar to installing malicious keyboards or malicious apps taking screenshots.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Reference

https://github.com/magicj3lly/appexploits/blob/master/PhonePe20-20Credit20and20Debit20Card20Leak.pdf

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3

Share on: