MidnightBSD

Advisories for nq

CVE-2014-5667 MEDIUM

The Vault-Hide SMS, Pics & Videos (aka com.netqin.ps) application 5.0.14.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
nq vault-hide_sms_pics_&_videos 5.0.14.22
CVE-2014-5672 MEDIUM

The NQ Mobile Security & Antivirus (aka com.nqmobile.antivirus20) application 7.2.16.00 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
nq nq_mobile_security_&_antivirus 7.2.16.00
CVE-2014-5673 MEDIUM

The Easy Finder & Anti-Theft (aka com.nqmobile.easyfinder) application 2.0.10.08 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
nq easy_finder_&_anti-theft 2.0.10.08
CVE-2014-5764 MEDIUM

The Antivirus Free (aka com.zrgiu.antivirus) application 7.2.16.02 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
nq antivirus_free 7.2.16.02
CVE-2017-15997 LOW

In the "NQ Contacts Backup & Restore" application 1.1 for Android, RC4 encryption is used to secure the user password locally stored in shared preferences. Because there is a static RC4 key, an attacker can gain access to user credentials more easily by leveraging access to the preferences XML file.

CVSS 2.0

Severity: LOW

Problem Type: CWE-327,

Products Affected

Vendor Product Version
nq contacts_backup_&_restore 1.1
CVE-2017-15998 MEDIUM

In the "NQ Contacts Backup & Restore" application 1.1 for Android, DES encryption with a static key is used to secure transmitted contact data. This makes it easier for remote attackers to obtain cleartext information by sniffing the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
nq contacts_backup_&_restore 1.1
CVE-2017-15999 MEDIUM

In the "NQ Contacts Backup & Restore" application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
nq contacts_backup_&_restore 1.1