CVE-2020-7705

Published: Aug 24, 2020

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

This affects the package MintegralAdSDK from 0.0.0. The SDK distributed by the company contains malicious functionality that tracks any URL opened by the app and reports it back to the company, along with performing advertisement attribution fraud. Mintegral can remotely activate hooks on the UIApplication, openURL, SKStoreProductViewController, loadProductWithParameters and NSURLProtocol methods along with anti-debug and proxy detection protection. If those hooks are active MintegralAdSDK sends obfuscated data about every opened URL in an application to their servers. Note that the malicious functionality is enabled even if the SDK was not enabled to serve ads.

Vendor	Product	Versions
n/a	MintegralAdSDK	affected `0.0.0 - < unspecified`

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N/E:H/RL:U/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

References

https://snyk.io/vuln/SNYK-COCOAPODS-MINTEGRALADSDK-598852

x_refsource_MISC

https://snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/

x_refsource_MISC

https://snyk.io/research/sour-mint-malicious-sdk/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-7705

Description

Affected Products

CVSS v3.1 Details

References