CVE-2010-4211
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
09/11/2010
Last modified:
11/04/2025
Description
The PayPal app before 3.0.1 for iOS does not verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof a PayPal web server via an arbitrary certificate.
Impact
Base Score 2.0
2.90
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:ebay:paypal:*:*:*:*:*:*:*:* | 3.0 (including) | |
| cpe:2.3:o:apple:iphone_os:3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:o:apple:iphone_os:3.1.2:*:*:*:*:*:*:* | ||
| cpe:2.3:o:apple:iphone_os:3.1.3:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://itunes.apple.com/us/app/paypal/id283646709
- http://news.cnet.com/8301-27080_3-20021730-245.html
- http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html
- http://viaforensics.com/press-releases/viaforensics-uncovers-paypal-application-vulnerability.html
- http://viaforensics.com/security/viaforensics-uncovers-significant-vulnerability-paypal-iphone.html
- http://www.securityfocus.com/bid/44657
- http://www.vupen.com/english/advisories/2010/2887
- https://exchange.xforce.ibmcloud.com/vulnerabilities/63002
- http://itunes.apple.com/us/app/paypal/id283646709
- http://news.cnet.com/8301-27080_3-20021730-245.html
- http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html
- http://viaforensics.com/press-releases/viaforensics-uncovers-paypal-application-vulnerability.html
- http://viaforensics.com/security/viaforensics-uncovers-significant-vulnerability-paypal-iphone.html
- http://www.securityfocus.com/bid/44657
- http://www.vupen.com/english/advisories/2010/2887
- https://exchange.xforce.ibmcloud.com/vulnerabilities/63002