Description
Directory traversal can occur in the Basecamp com.basecamp.bc3 application before 4.2.1 for Android, which may allow an attacker to write arbitrary files in the application's private directory. Additionally, by using a malicious intent, the attacker may redirect the server's responses (containing sensitive information) to third-party applications by using a custom-crafted deeplink scheme.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://hackerone.com/reports/1710541
Scores
CVSS v3
7.5
EPSS
0.0094
EPSS Percentile
56.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
basecamp/basecamp
< 4.2.1
Published
Jun 25, 2023
Tracked Since
Feb 18, 2026