CVE-2017-15999 — CRITICAL (9.8)

Vulnerability Description

In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nq	Contacts Backup \& Restore	1.1

Related Weaknesses (CWE)

CWE-319

References

https://1337sec.blogspot.de/2017/10/auditing-nq-contacts-backup-restore-11.htmlThird Party Advisory
https://1337sec.blogspot.de/2017/10/auditing-nq-contacts-backup-restore-11.htmlThird Party Advisory

FAQ

What is CVE-2017-15999?

CVE-2017-15999 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an...

How severe is CVE-2017-15999?

CVE-2017-15999 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-15999?

Check the references section above for vendor advisories and patch information. Affected products include: Nq Contacts Backup \& Restore.