Main Vulnerability Database Vulnerabilities #VU37630

Improper Certificate Validation in neon - CVE-2018-5258

Published: January 17, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37630

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-5258

CWE-ID: CWE-295

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: webdav.org

Affected software:
neon

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The Neon app 1.6.14 iOS does not verify X.509 certificates from SSL servers, which allows remote attackers to spoof servers and obtain sensitive information via a crafted certificate.

How to mitigate CVE-2018-5258

Install update from vendor's website.

Sources

https://gist.github.com/rlaneth/d2203c206d5d5acbdaf6069e78b1d07f
https://radialle.com/cve-2018-5258-writeup-aplicativo-do-banco-neon-para-ios-n%C3%A3o-valida-certificados-ssl-84bed0b0cecb
https://www.tecmundo.com.br/seguranca/126192-banco-neon-falha-permite-hacker-acesse-conta-roube-dados-clientes.htm

Improper Certificate Validation in neon - CVE-2018-5258

Detailed vulnerability description

How to mitigate CVE-2018-5258

Sources

Please verify you're human