CVE-2017-14487

CRITICAL

OhMiBod Remote < 2.50.37 - Authentication Bypass via Shared Preferences Manipulation

Title source: llm
STIX 2.1

Description

The OhMiBod Remote app for Android and iOS allows remote attackers to impersonate users by sniffing network traffic for search responses from the OhMiBod API server and then editing the username, user_id, and token fields in data/data/com.ohmibod.remote2/shared_prefs/OMB.xml.

References (1)

Core 1
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://dl.acm.org/citation.cfm?id=3139942&preflayout=flat

Scores

CVSS v3 9.1
EPSS 0.0116
EPSS Percentile 62.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-290
Status published
Products (1)
ohmibod/ohmibod_remote < 2.50.37 (2 CPE variants)
Published Dec 01, 2017
Tracked Since Feb 18, 2026