CVE-2020-11614
HIGHMids' Reborn Hero Designer 2.6.0.7 - Cleartext Transmission of Sensitive Information via HTTP Update Manifest
Title source: llmDescription
Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace executable files with malicious versions, which the operating system then executes under the context of the user running Hero Designer.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/Crytilis/mids-reborn-hero-designer/releases
Exploit, Third Party Advisory x_refsource_misc
https://www.doyler.net/security-not-included/mids-reborn-vulnerabilities
Scores
CVSS v3
8.1
EPSS
0.0039
EPSS Percentile
30.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-319
CWE-345
Status
published
Products (1)
mids\'_reborn_hero_designer_project/mids\'_reborn_hero_designer
2.6.0.7
Published
Jun 11, 2020
Tracked Since
Feb 18, 2026