关键信息 漏洞名称: Vulnerability in Two App Studio Journey (CVE-2025-4159) 影响版本: v5.5.6 - v5.5.9 CVSS Score: 7.8 (CVSS v3.1) CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 漏洞描述: - Insecure authentication due to missing brute-force protection and runtime manipulation in Two App Studio Journey v5.5.9 for iOS. - Insufficient authentication enforcement in local authentication component allows local attackers to bypass biometric and PIN-based protection via repeated PIN attempts and runtime manipulation. - The application implements local 4-digit PIN and biometric authentication, but these mechanisms can be bypassed using brute-force and runtime manipulation techniques. - Sensitive data within the app may be accessed without valid user authentication. 时间线: - 2025-03-12: Vendor was contacted and informed about the vulnerability via email. No response. - 2025-03-25: Second attempt was made to contact vendor via email. No response. - 2025-06-25: Third attempt was made to contact vendor via email. No response. 发现者: Honnes Allmann (cirosec GmbH)