CVE-2020-12624

MEDIUM

League <2020-05-02 - SSRF

Title source: llm

Description

The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object is reused, which allows remote attackers to hijack sessions.

References (1)

[Exploit, Third Party Advisory] https://push32.com/post/dating-app-fail/

Scores

CVSS v3 6.5

EPSS 0.0047

EPSS Percentile 64.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE

CWE-459

Status published

Products (1)

theleague/the_league < 2020-05-02

Published May 03, 2020

Tracked Since Feb 18, 2026