CVE-2020-27199 — HIGH (7.5)

Vulnerability Description

The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Magic Home Pro Project	Magic Home Pro	1.5.1

Related Weaknesses (CWE)

CWE-287

References

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/magic-home-pro-mExploitThird Party Advisory
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/magic-home-pro-mExploitThird Party Advisory

FAQ

What is CVE-2020-27199?

CVE-2020-27199 is a vulnerability with a CVSS score of 7.5 (HIGH). The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication functio...

How severe is CVE-2020-27199?

CVE-2020-27199 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-27199?

Check the references section above for vendor advisories and patch information. Affected products include: Magic Home Pro Project Magic Home Pro.