{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0390", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2024-01-10T08:24:47.234Z", "datePublished": "2024-02-15T09:11:14.559Z", "dateUpdated": "2024-08-01T18:04:49.430Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://play.google.com/store/apps/details?id=inprax.izzi", "defaultStatus": "unaffected", "platforms": ["Android"], "product": "iZZi connect", "vendor": "INPRAX", "versions": [{"lessThan": "2024010401", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgba(214, 214, 214, 0.1);\">INPRAX \"iZZi connect\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \"reQnet iZZi\".</span><p>This issue affects \"iZZi connect\" application versions before 2024010401.</p>"}], "value": "INPRAX \"iZZi connect\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \"reQnet iZZi\".This issue affects \"iZZi connect\" application versions before 2024010401.\n\n"}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-02-15T09:11:14.559Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/02/CVE-2024-0390/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/02/CVE-2024-0390/"}], "source": {"discovery": "UNKNOWN"}, "title": "Hard-coded credentials in iZZi connect application", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T19:19:14.884809Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:58:29.635Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.430Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/en/posts/2024/02/CVE-2024-0390/"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/posts/2024/02/CVE-2024-0390/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cert.pl/en/posts/2024/02/CVE-2024-0390/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://cert.pl/posts/2024/02/CVE-2024-0390/", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.430Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0390", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T19:19:14.884809Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:13.033Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Hard-coded credentials in iZZi connect application", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "CAPEC-114 Authentication Abuse"}]}], "affected": [{"vendor": "INPRAX", "product": "iZZi connect", "versions": [{"status": "affected", "version": "0", "lessThan": "2024010401", "versionType": "custom"}], "platforms": ["Android"], "collectionURL": "https://play.google.com/store/apps/details?id=inprax.izzi", "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/en/posts/2024/02/CVE-2024-0390/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/02/CVE-2024-0390/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "INPRAX \"iZZi connect\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \"reQnet iZZi\".This issue affects \"iZZi connect\" application versions before 2024010401.\n\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgba(214, 214, 214, 0.1);\">INPRAX \"iZZi connect\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \"reQnet iZZi\".</span><p>This issue affects \"iZZi connect\" application versions before 2024010401.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-02-15T09:11:14.559Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0390", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:04:49.430Z", "dateReserved": "2024-01-10T08:24:47.234Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-02-15T09:11:14.559Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "INPRAX \"iZZi connect\" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit \"reQnet iZZi\".This issue affects \"iZZi connect\" application versions before 2024010401.\n\n"}, {"lang": "es", "value": "La aplicaci\u00f3n INPRAX \"iZZi connect\" en Android contiene credenciales de cola MQTT codificadas. Los dispositivos de recuperaci\u00f3n f\u00edsica correspondientes utilizan la misma cola MQTT. La explotaci\u00f3n de esta vulnerabilidad podr\u00eda permitir el acceso no autorizado para administrar y leer los par\u00e1metros de la unidad de recuperaci\u00f3n \"reQnet iZZi\". Este problema afecta a las versiones de la aplicaci\u00f3n \"iZZi connect\" anteriores a 2024010401."}], "id": "CVE-2024-0390", "lastModified": "2024-02-15T14:28:31.380", "metrics": {}, "published": "2024-02-15T10:15:09.043", "references": [{"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2024/02/CVE-2024-0390/"}, {"source": "cvd@cert.pl", "url": "https://cert.pl/posts/2024/02/CVE-2024-0390/"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}