Abstract Advisory Information
An inccorect access control vulnerability in the Travely Android application allows attacker to Hijacking any other user session via an unrestricted API route.
Authors: Michaël Lucas
Version affected
Name: Travely Android application
Versions: 1.3.3
Common Vulnerability Scoring System
7.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Patches
The access control was reviewed on the backend API on 2019-04-11.
References
None
Vulnerability Disclosure Timeline
- 11/04/2019: Vulnerability discovered
- 11/04/2019: First contact with the support
- 11/04/2019: Support fix the vulnerability
- 25/04/2019: Public Disclosure