CVE-2019-13097
Description
The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Attackers can manipulate users' score parameters exchanged between client and server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cat Runner Decorate Home v2.8.0 for Android API fails to validate score parameters, allowing remote score manipulation.
Vulnerability
The application API of Cat Runner Decorate Home version 2.8.0 for Android does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. Specifically, the score parameter exchanged between client and server can be manipulated. This is demonstrated in the reference [1].
Exploitation
An attacker with network access can send a crafted POST request to the /index/commit endpoint with arbitrary values for the score parameter. The reference shows a sample request that successfully changes the score. No authentication or user interaction is required beyond knowing the target user's uid and appid [1].
Impact
Successful exploitation allows an attacker to arbitrarily modify the score parameter for any user, potentially gaining high scores or other competitive advantages. The impact is limited to manipulation of in-game data; no remote code execution or data breach is reported.
Mitigation
As of the publication date, no fix has been released by the vendor (Ivy). Users should monitor for updates to the application. The vulnerability was reported on April 23, 2019 [1], but no patch is mentioned.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cat Runner Decorate Home/Cat Runner Decorate Homedescription
- Range: = 2.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- pastebin.com/WkkGk0twmitrex_refsource_MISC
- www.youtube.com/watchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.