CVE-2020-23533 Information

Description

Union Pay up to 1.2.0 for web based versions contains a CWE-347: Improper Verification of Cryptographic Signature vulnerability allows attackers to shop for free in merchants’ websites and mobile apps via a crafted authentication code (MAC) which is generated based on a secret key which is NULL.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

https://www.dropbox.com/s/czbkdr73tclq2nr/UnionPay_Vulnerability_Report.txt?dl=0 http://mobitec.ie.cuhk.edu.hk/cve_2020/ https://www.dropbox.com/s/6smwnbrp0kgsgrc/poc_code.py?dl=0

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5