Vulnerability Description
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Phonepe | Phonepe | >= 3.0.6, <= 3.3.26 |
Related Weaknesses (CWE)
References
- https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20-%20Credit%20andThird Party Advisory
- https://github.com/magicj3lly/appexploits/blob/master/PhonePe%20-%20Credit%20andThird Party Advisory
FAQ
What is CVE-2018-17402?
CVE-2018-17402 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number. NOTE: the vendor...
How severe is CVE-2018-17402?
CVE-2018-17402 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17402?
Check the references section above for vendor advisories and patch information. Affected products include: Phonepe Phonepe.