Vulnerability Description
The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eaton | Halo Home | 1.9.0 |
Related Weaknesses (CWE)
References
- https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystExploitThird Party Advisory
- https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/secuThird Party Advisory
- https://blog.rapid7.com/2019/05/21/investigating-the-plumbing-of-the-iot-ecosystExploitThird Party Advisory
- https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/secuThird Party Advisory
FAQ
What is CVE-2019-5625?
CVE-2019-5625 is a vulnerability with a CVSS score of 7.1 (HIGH). The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reb...
How severe is CVE-2019-5625?
CVE-2019-5625 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-5625?
Check the references section above for vendor advisories and patch information. Affected products include: Eaton Halo Home.