Vulnerability Description
The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tronlink | Wallet | 2.2.0 |
| Android | < 4.1 |
Related Weaknesses (CWE)
References
- https://pastebin.com/a5VhaxYnExploitThird Party Advisory
- https://pastebin.com/raw/rVGbwSw0ExploitThird Party Advisory
- https://pastebin.com/a5VhaxYnExploitThird Party Advisory
- https://pastebin.com/raw/rVGbwSw0ExploitThird Party Advisory
FAQ
What is CVE-2019-13098?
CVE-2019-13098 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The ...
How severe is CVE-2019-13098?
CVE-2019-13098 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-13098?
Check the references section above for vendor advisories and patch information. Affected products include: Tronlink Wallet, Google Android.