Mifos-Mobile Android Application for MifosX is an Android Application built on top of the MifosX Self-Service platform. Mifos-Mobile before commit e505f62 disables HTTPS hostname verification of its HTTP client. Additionally it accepted any self-signed certificate as valid. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. Accepting any certificate, even self-signed ones allows man-in-the-middle attacks. This problem is fixed in mifos-mobile commit e505f62.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:mifos:mifos-mobile:*:*:*:*:*:android:*:*"
],
"extracted_events": [
{
"fixed": "2021-03-14"
}
],
"vendor_product": "mifos:mifos-mobile",
"source": "CPE_RANGE"
}
]
}