CVE-2024-23453: Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key...

Description

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service.

Classification

CVE ID: CVE-2024-23453

Problem Types

Use of Hard-coded Credentials

Affected Products

Vendor: Spoon Radio Japan Inc.

Product: Android Spoon application

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.26% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-23453
https://play.google.com/store/apps/details?id=co.spoonme&hl=en_US
https://spoon-support.spooncast.net/jp/update
https://jvn.jp/en/jp/JVN96154238/

Timeline

2025-06-04 16:40:17 UTC
CVE

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key...