Vulnerability Description
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phonepe | Phonepe | >= 3.0.6, <= 3.3.26 |
Related Weaknesses (CWE)
References
- https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20Authentication%2Third Party Advisory
- https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20Authentication%2Third Party Advisory
FAQ
What is CVE-2018-17401?
CVE-2018-17401 is a vulnerability with a CVSS score of 8.8 (HIGH). The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the ve...
How severe is CVE-2018-17401?
CVE-2018-17401 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17401?
Check the references section above for vendor advisories and patch information. Affected products include: Phonepe Phonepe.