Description
The user password via the registration form of TronLink Wallet 2.2.0 is stored in the log when the class CreateWalletTwoActivity is called. Other authenticated users can read it in the log later. The logged data can be read using Logcat on the device. When using platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application; any application installed on the device has the capability to read data logged by other applications.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://pastebin.com/a5VhaxYn
Exploit, Third Party Advisory x_refsource_misc
https://pastebin.com/raw/rVGbwSw0
Scores
CVSS v3
6.5
EPSS
0.0056
EPSS Percentile
68.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-532
Status
published
Products (1)
tronlink/wallet
2.2.0
Published
Jul 22, 2019
Tracked Since
Feb 18, 2026