Missing Encryption of Sensitive Data

CVE-2018-17915

High

9.8/10

Summary

All versions of Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server do not encrypt all device communication. This includes the XMeye service and firmware update communication. This could allow an attacker to eavesdrop on video feeds, steal XMeye login credentials, or impersonate the update server with malicious update code.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-311 - Missing Encryption of Sensitive Data

The software does not encrypt sensitive or critical information before storage or transmission.

References

Advisory Timeline

Published Oct 10, 2018

Missing Encryption of Sensitive Data

CVE-2018-17915

Summary

CWE-311 - Missing Encryption of Sensitive Data

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS