CVE-2017-16905

HIGH

Duolingo TinyCards < 1.0 - Remote Code Execution via Unencrypted HTTP

Title source: llm
STIX 2.1

Description

The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack.

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/281605

Scores

CVSS v3 8.1
EPSS 0.0348
EPSS Percentile 87.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (1)
duolingo/tinycards < 1.0
Published Jan 05, 2018
Tracked Since Feb 18, 2026