TONE store App Plaintext Transmission Vulnerability (CVE-2024-39886)

Critical Vulnerability Information Overview Vulnerability Identifier: JVN#28515217 Vulnerability Description: TONE store App to TONE store has a plaintext transmission issue. Affected Products Affected Product: TONE store App versions 3.4.2 and earlier. Description: This app is pre-installed on TONE smartphones. Description Issue Details: The TONE store App (provided by DREAM TRAIN INTERNET INC.) contains a plaintext transmission vulnerability involving the TONE store website (CWE-419). Impact Attack Type: A man-in-the-middle attack may allow an attacker to intercept and/or modify communications of the affected application. Solution Update the Application: Update to the latest version as per the developer's information. When internet connection settings are enabled, the app will automatically update. Vendor Status Vendor: DREAM TRAIN INTERNET INC. Status: Vulnerable Last Updated: 2024/07/08 Vendor Notes: Refer to the DREAM TRAIN INTERNET INC. website. References JPCERT/CC Appendix Vulnerability Analysis by JPCERT/CC CVSS v3: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 3.7 Notes Assumed Scenario: The analysis assumes an attacker places a malicious wireless LAN access point to conduct a man-in-the-middle attack. Acknowledgments Reporter: Kodai Karakawa reported this vulnerability to IPA. Coordination Body: JPCERT/CC coordinated with the developer under the Information Security Early Warning Partnership. Additional Information Related Links - JPCERT Alert - JPCERT Reports - CERT Advisory - CPNI Advisory - TRnotes - CVE: CVE-2024-39886 - JVN iPedia: JVNDB-2024-000069

Goal Reached Thanks to every supporter — we hit 100%!

TONE store App Plaintext Transmission Vulnerability (CVE-2024-39886)