CVE-2019-9493
MEDIUMAutoMobility MyCar <3.4.24-4.1.2 - Command Injection
Title source: llmDescription
The MyCar Controls of AutoMobility Distribution Inc., mobile application contains hard-coded admin credentials. A remote unauthenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle. This issue affects AutoMobility MyCar versions prior to 3.4.24 on iOS and versions prior to 4.1.2 on Android. This issue has additionally been fixed in Carlink, Link, Visions MyCar, and MyCar Kia.
References (5)
Core 5
Core References
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
https://www.kb.cert.org/vuls/id/174715/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
https://www.securityfocus.com/bid/107827
Product x_refsource_misc
https://play.google.com/store/apps/details?id=app.com.automobility.mycar.control
Product x_refsource_misc
https://mycarcontrols.com/
Product x_refsource_misc
https://itunes.apple.com/us/app/mycar-controls/id1126511815
Scores
CVSS v3
6.5
EPSS
0.0357
EPSS Percentile
87.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-798
Status
published
Products (2)
mycarcontrols/mycar_controls
< 3.4.24
mycarcontrols/mycar_controls
< 4.1.2
Published
Jan 15, 2020
Tracked Since
Feb 18, 2026