magicj3lly/appexploits

Releases0

Stars4

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2018-17400 ↗	Sep 23, 2018Sunday, 23 September 2018, 22:29	—	1.2 LOW
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by intercepting the user name and PIN during the initial configuration of the application. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots
CVE-2018-17401 ↗	Sep 23, 2018Sunday, 23 September 2018, 22:29	—	4.3 MEDIUM
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to perform Account Takeover attacks by exploiting its Forgot Password feature. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots
CVE-2018-17402 ↗	Sep 23, 2018Sunday, 23 September 2018, 22:29	—	2.6 LOW
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to discover the Credit/Debit card number, expiration date, and CVV number. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots
CVE-2018-17403 ↗	Sep 23, 2018Sunday, 23 September 2018, 22:29	—	4.3 MEDIUM
The PhonePe wallet (aka com.PhonePe.app) application 3.0.6 through 3.3.26 for Android might allow attackers to impersonate a user and set up their account without their knowledge. NOTE: the vendor says that, to exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app, that the Android platform provides fair warnings to the users before turning on accessibility for any application, and that it believes it is similar to installing malicious keyboards, or malicious apps taking screenshots
CVE-2018-17404 ↗	Sep 23, 2018Sunday, 23 September 2018, 22:29	—	2.6 LOW
The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Android might allow an attacker to sniff private information such as mobile number, PAN number (from a government-issued ID), and date of birth.
CVE-2018-17108 ↗	Sep 16, 2018Sunday, 16 September 2018, 23:29	—	4.3 MEDIUM
The SBIbuddy (aka com.sbi.erupee) application 1.41 and 1.42 for Android might allow attackers to perform Account Takeover attacks by intercepting a security-question response during the initial configuration of the application.
CVE-2017-9818 ↗	Aug 24, 2018Friday, 24 August 2018, 21:29	—	5 MEDIUM
The National Payments Corporation of India BHIM application 1.3 for Android relies on a four-digit passcode, which makes it easier for attackers to obtain access.
CVE-2017-9819 ↗	Aug 24, 2018Friday, 24 August 2018, 21:29	—	7.5 HIGH
The National Payments Corporation of India BHIM application 1.3 for Android does not properly restrict use of the OTP feature, which makes it easier for attackers to bypass authentication.
CVE-2017-9820 ↗	Aug 24, 2018Friday, 24 August 2018, 21:29	—	7.5 HIGH
The National Payments Corporation of India BHIM application 1.3 for Android uses a custom keypad for which the input element is available to the Accessibility service, which makes it easier for attackers to bypass authentication.
CVE-2017-9821 ↗	Aug 24, 2018Friday, 24 August 2018, 21:29	—	7.5 HIGH
The National Payments Corporation of India BHIM application 1.3 for Android relies on three hardcoded strings (AK-NPCIMB, IM-NPCIBM, and VK-NPCIBM) for SMS validation, which makes it easier for attackers to bypass authentication.
CVE-2018-15660 ↗	Aug 21, 2018Tuesday, 21 August 2018, 17:29	—	4.3 MEDIUM
An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions, then the attacker can read certain Ola Money data such as a credit card number, expiration date, bank account number, and transaction history. NOTE: the vendor does not agree that this is a security issue requiring a fix
CVE-2018-15661 ↗	Aug 21, 2018Tuesday, 21 August 2018, 17:29	—	2.6 LOW
An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions and the ability to read SMS messages, then the Forgot Password screen can be used to bypass authentication. NOTE: the vendor does not agree that this is a security issue requiring a fix