Description
Oclean Mobile Application 2.1.2 communicates with an external website using HTTP so it is possible to eavesdrop the network traffic. The content of HTTP payload is encrypted using XOR with a hardcoded key, which allows for the possibility to decode the traffic.
References (3)
Core 3
Core References
Product x_refsource_misc
http://oclean.com
Product x_refsource_misc
https://play.google.com/store/apps/details?id=com.yunding.noopsychebrushforeign
Exploit, Third Party Advisory x_refsource_misc
https://github.com/c3r34lk1ll3r/decrypt-oclean-traffic
Scores
CVSS v3
7.5
EPSS
0.0016
EPSS Percentile
36.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-327
CWE-798
Status
published
Products (1)
oclean/oclean
2.1.2
Published
Feb 11, 2021
Tracked Since
Feb 18, 2026