Xtooltech Xtool AnyScan Android Application 4.40.40 and prior uses a hardcoded cryptographic key and IV to decrypt update metadata. The key is stored as a static value within the application's code. An attacker with the ability to intercept network traffic can use this hardcoded key to decrypt, modify, and re-encrypt the update manifest, allowing them to direct the application to download a malicious update package.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NXtooltech Xtool Anyscan
APPXtooltech≤ 4.40.40
Powiązane podatności
The update mechanism in Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is insecure. The applica...
Xtooltech Xtool AnyScan Android Application 4.40.40 and prior is Missing SSL Certificate Validation. The appli...
Xtooltech Xtool AnyScan Android Application 4.40.40 is Missing Authentication for Critical Function. The serve...