Use of hard-coded credentialsv in Piccoma App
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-38480 |
| CWE-ID | CWE-798 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Piccoma App for Android Mobile applications / Apps for mobile phones Piccoma App for iOS Mobile applications / Apps for mobile phones |
| Vendor | Kakao piccoma Corp. |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Use of hard-coded credentials
EUVDB-ID: #VU93521
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-38480
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can analyze data in the app and obtain API key for an external service.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPiccoma App for Android: All versions
Piccoma App for iOS: All versions
CPE2.3- cpe:2.3:a:kakao_piccoma_corp.:piccoma_app_for_android:*:*:*:*:*:*:*:*
- cpe:2.3:a:kakao_piccoma_corp.:piccoma_app_for_ios:*:*:*:*:*:*:*:*
https://play.google.com/store/apps/details?id=jp.kakao.piccoma
https://apps.apple.com/jp/app/%E3%83%94%E3%83%83%E3%82%B3%E3%83%9E/id1091496983
https://jvn.jp/en/jp/JVN01073312/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
