Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass. This issue affects ATA-AOF Mobile Application: before 20.06.2025.
The vulnerability involves two related issues: first, the application uses hard-coded credentials (CWE-798) embedded in the code that can be extracted and used by an attacker to authenticate as an authorized user. Second, sensitive information — including potentially authentication data — is transmitted in cleartext (CWE-319), making it possible to intercept it in network traffic. An attacker can combine both weaknesses to gain access to the system without knowing the correct user login credentials.
A remote attacker, without any authentication and user interaction, can bypass authentication mechanisms (Authentication Bypass) and gain unauthorized access to application resources, as well as intercept sensitive data transmitted over the network.
The ATA-AOF application must be updated to the version released on 20.06.2025 or later. Detailed information about the patch is available in the vendor references and in the USOM/TR-25-0135 bulletin.
ATA-AOF mobile application (Ataturk University) in all versions before 20.06.2025.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L