CVE-2016-6548

CRITICAL

nutspace nut_mobile - Unauthenticated Exposure of Sensitive Information via HTTP Session Token Transmission

Title source: llm
STIX 2.1

Description

The Zizai Tech Nut mobile app makes requests via HTTP instead of HTTPS. These requests contain the user's authenticated session token with the URL. An attacker can capture these requests and reuse the session token to gain full access the user's account.

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
https://www.securityfocus.com/bid/93877
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/402847

Scores

CVSS v3 9.8
EPSS 0.0371
EPSS Percentile 88.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-200
Status published
Products (1)
nutspace/nut_mobile
Published Jul 13, 2018
Tracked Since Feb 18, 2026