Description
The Boozt Fashion application before 2.3.4 for Android allows remote attackers to read login credentials by sniffing the network and leveraging the lack of SSL. NOTE: the vendor response, before the application was changed to enable SSL logins, was "At the moment that is an accepted risk. We only have https on the checkout part of the site."
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://wwws.nightwatchcybersecurity.com/2017/07/27/boozt-fashion-android-app-didnt-use-ssl-for-login-cve-2017-11706/
Third Party Advisory x_refsource_misc
https://hackerone.com/reports/166712
Scores
CVSS v3
7.5
EPSS
0.0141
EPSS Percentile
69.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
boozt/boozt
< 2.3.3
Published
Jul 28, 2017
Tracked Since
Feb 18, 2026