Description
udn News Android APP stores the unencrypted user session in the local database when user log into the application. A malicious APP or an attacker with physical access to the Android device can retrieve this session and use it to log into the news APP and other services provided by udn.
References (2)
Core 2
Core References
Various Sources third-party-advisory
https://www.twcert.org.tw/tw/cp-132-7894-aebd8-1.html
Various Sources third-party-advisory
https://www.twcert.org.tw/en/cp-139-7895-80dac-2.html
Scores
CVSS v3
3.9
EPSS
0.0021
EPSS Percentile
11.4%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-922
Status
published
Products (1)
udn/udn News App
earlier - 4.20.1
Published
Jun 25, 2024
Tracked Since
Feb 18, 2026