Skip to main content

Splashin

2 CVEs product

Monthly

CVE-2025-45157 MEDIUM POC This Month

Insecure permissions in Splashin iOS v2.0 expose precise location data for targeted users to unauthenticated network attackers via broken access control. The flaw, classified under CWE-284 (Improper Access Control), allows any remote party to query location information without credentials, bypassing the application's intended authorization model. No public exploit identified at time of analysis is inaccurate here - a publicly available proof-of-concept is documented in the referenced researcher disclosure, though EPSS remains low (0.24%, 15th percentile), suggesting opportunistic exploitation has not yet materialized at scale.

Authentication Bypass Apple Splashin
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-45156 MEDIUM POC This Month

Splashin iOS v2.0 fails to enforce server-side rate limiting on location update frequency for free-tier accounts, allowing free users to bypass tier-based restrictions and submit location updates at an unrestricted rate. Confirmed by CPE (cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*), this business logic flaw exposes the platform's API to abuse by any free-tier account holder. A publicly available proof-of-concept is referenced via NVD exploit tag; EPSS sits at 0.36% (28th percentile), indicating low probability of widespread automated exploitation.

Apple Information Disclosure Splashin
NVD
CVSS 3.1
5.3
EPSS
0.4%
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Insecure permissions in Splashin iOS v2.0 expose precise location data for targeted users to unauthenticated network attackers via broken access control. The flaw, classified under CWE-284 (Improper Access Control), allows any remote party to query location information without credentials, bypassing the application's intended authorization model. No public exploit identified at time of analysis is inaccurate here - a publicly available proof-of-concept is documented in the referenced researcher disclosure, though EPSS remains low (0.24%, 15th percentile), suggesting opportunistic exploitation has not yet materialized at scale.

Authentication Bypass Apple Splashin
NVD
EPSS 0% CVSS 5.3
MEDIUM POC This Month

Splashin iOS v2.0 fails to enforce server-side rate limiting on location update frequency for free-tier accounts, allowing free users to bypass tier-based restrictions and submit location updates at an unrestricted rate. Confirmed by CPE (cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*), this business logic flaw exposes the platform's API to abuse by any free-tier account holder. A publicly available proof-of-concept is referenced via NVD exploit tag; EPSS sits at 0.36% (28th percentile), indicating low probability of widespread automated exploitation.

Apple Information Disclosure Splashin
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy