XLM-2019-672

XLM-2019-672

by adidionxlm

Abstract Advisory Information

An inccorect access control vulnerability in the Travely Android application allows attacker to Hijacking any other user session via an unrestricted API route.

Authors: Michaël Lucas

Version affected

Name: Travely Android application
Versions: 1.3.3

Common Vulnerability Scoring System

7.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Patches

The access control was reviewed on the backend API on 2019-04-11.

References

None

Vulnerability Disclosure Timeline

  • 11/04/2019: Vulnerability discovered
  • 11/04/2019: First contact with the support
  • 11/04/2019: Support fix the vulnerability
  • 25/04/2019: Public Disclosure
Top