Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
MITM network positioning is required to abuse the cert bypass, so AC:H rather than AC:L; impact is confidentiality-only (C:H) as the attacker reads transmitted data with no integrity/availability effect described.
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
PayRange Android app, version 7.0.7 and below, contains an SSL bypass vulnerability that allows invalid certificates to be accepted in application webviews. A remote and unauthenticated attacker can steal information that the user sends.
AnalysisAI
Sensitive data exposure in the PayRange Android app (versions 7.0.7 and below) stems from improper TLS certificate validation in the app's embedded webviews, which accept invalid or attacker-controlled certificates. A network-positioned (man-in-the-middle) attacker can therefore decrypt and capture information users submit through those webviews, such as account or payment-related data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a man-in-the-middle network position on the traffic path between the victim's device and PayRange servers (e.g., control of the local Wi-Fi, ARP/DNS spoofing, or an upstream network hop), and the victim must be using PayRange Android 7.0.7 or earlier and actively entering data into an affected webview. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, base 7.5) rates this as high-severity confidentiality-only impact with no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sets up a rogue access point or performs ARP spoofing on a shared network (e.g., a laundromat or café) where a victim uses the PayRange app. Because the app's webviews accept the attacker's forged TLS certificate, the attacker transparently proxies the HTTPS session and reads the account and payment details the user enters. … |
| Remediation | Upgrade the PayRange Android app to a release later than 7.0.7 that enforces proper certificate validation; no exact fixed version number is stated in the provided data, so consult the CERT/CC advisory at https://kb.cert.org/vuls/id/152953 for the vendor-confirmed patched build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems and user populations using PayRange Android app versions 7.0.7 or below; communicate advisory to affected users and restrict app usage to trusted, controlled networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42637
GHSA-wpmg-2gv8-722g