Insecure Update Process and File Tampering Vulnerability in Mids' Reborn Hero Designer 2.6.0.7

Insecure Update Process and File Tampering Vulnerability in Mids' Reborn Hero Designer 2.6.0.7

CVE-2020-11614 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as well as update files, over cleartext HTTP. Additionally, the application does not perform file integrity validation for files after download. An attacker can perform a man-in-the-middle attack against this connection and replace executable files with malicious versions, which the operating system then executes under the context of the user running Hero Designer.

Learn more about our User Device Pen Test.