Vulnerabilities > CVE-2023-36620 - Unspecified vulnerability in Nationaledtech Boomerang

CVSS 4.6 - MEDIUM

Attack vector

PHYSICAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

low complexity

nationaledtech

NVD

Published: 2023-11-03

Updated: 2024-11-21

Summary

An issue was discovered in the Boomerang Parental Control application before 13.83 for Android. The app is missing the android:allowBackup="false" attribute in the manifest. This allows the user to backup the internal memory of the app to a PC. This gives the user access to the API token that is used to authenticate requests to the API.

Vulnerable Configurations

Part	Description	Count
Application	Nationaledtech Nationaledtech Boomerang -	1

References

https://sec-consult.com/blog/detail/the-hidden-costs-of-parental-control-apps/
https://sec-consult.com/blog/detail/the-hidden-costs-of-parental-control-apps/
https://seclists.org/fulldisclosure/2023/Jul/12
https://seclists.org/fulldisclosure/2023/Jul/12
https://useboomerang.com/
https://useboomerang.com/