CVE-2021-26833

low-risk
Published 2021-04-06

Cleartext Storage in a File or on Disk in TimelyBills <= 1.7.0 for iOS and versions <= 1.21.115 for Android allows attacker who can locally read user's files obtain JWT tokens for user's account due to insufficient cache clearing mechanisms. A threat actor can obtain sensitive user data by decoding the tokens as JWT is signed and encoded, not encrypted.

Do I need to act?

-
0.32% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (2)

Timelybills
Timelybills

Affected Vendors

Timelybills

References (2)

Exploit https://beefaaubee.medium.com/cve-2021-26833-cleartext-storage-in-a-file-or-on-d...
Exploit https://beefaaubee.medium.com/cve-2021-26833-cleartext-storage-in-a-file-or-on-d...
26
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 7/34 · Low