CVE-2021-25647 - Stored XSS on Mobile Application "Testes de Código"


27-01-2021

Vulnerability Details

Vendor: TM Mobile Solutions <app@testes-codigo.pt>

Product: "Testes de Código" Mobile Application (Android & iOS)

About: The mobile application "Testes de Código" (tdc.testesdecodigo) let their users perform theoretical driving tests according to Portuguese traffic rules. The application also integrates a public forum to ask questions and chat for communication between students.
This is the #1 mobile app to practice theoretical driving tests in Portugal with 500.000+ installations on Android devices.

Affected version: Version 11.3 and earlier.

Problem type: Code injection; Stored cross-site scripting

Description: The application allows its users to send feedback through "tdc_testemunhos" component without sanitizing the input. As a consequence, a malicious user may inject raw Javascript or HTML code leading to its storage in the remote database and causing it to be executed on client's devices.

Solution: Update to version 11.4 or newer.

References:

  1. https://testes-codigo.pt/
  2. https://testes-codigo.pt/testemunhos/
  3. https://play.google.com/store/apps/details?id=tdc.testesdecodigo
  4. https://apps.apple.com/pt/app/testes-de-c%C3%B3digo-imt-2020/id1451809836

Timeline:

  1. 2021-01-13: Issue reported to vendor
  2. 2021-01-13: Vendor acknowledge and confirm the vulnerability
  3. 2021-01-14: Vendor fix the issue
  4. 2021-01-15: Request CVE ID through MITRE
  5. 2021-01-27: Public disclosure

Reported by: João Varelas <varelas@pm.me>

← Go Back