CVE-2020-12624

The League application before 2020-05-02 on Android sends a bearer token in an HTTP Authorization header to an arbitrary web site that hosts an external image because an OkHttp object is reused, which allows remote attackers to hijack sessions. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt