The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object is reused, which allows remote attackers to hijack sessions.
References
Link | Resource |
---|---|
https://push32.com/post/dating-app-fail/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-05-03T13:01:33
Updated: 2020-05-03T13:01:33
Reserved: 2020-05-03T00:00:00
Link: CVE-2020-12624
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-05-03T13:15:11.310
Modified: 2021-07-21T11:39:23.747
Link: CVE-2020-12624
JSON object: View
Redhat Information
No data.
CWE