Lucene search

JpcertCVE-2024-35298

HistoryJun 19, 2024 - 5:15 a.m.

CVE-2024-35298

2024-06-1905:15:51

CWE-939

jpcert

web.nvd.nist.gov

improper authorization

url scheme

zozotown

android

phishing attack

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Improper authorization in handler for custom URL scheme issue in ‘ZOZOTOWN’ App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another application installed on the user’s device. As a result, the user may become a victim of a phishing attack.

Affected configurations

Vulners

Node

zozo\,_inc.\'zozotown\'_app_for_androidRange<7.39.6

VendorProductVersionCPE
zozo\,_inc.\'zozotown\'_app_for_android*cpe:2.3:a:zozo\,_inc.:\'zozotown\'_app_for_android:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zozo\,_inc.	\'zozotown\'_app_for_android	*	cpe:2.3:a:zozo\,_inc.:\'zozotown\'_app_for_android::::::::

CNA Affected

[
  {
    "vendor": "ZOZO, Inc.",
    "product": "'ZOZOTOWN' App for Android",
    "versions": [
      {
        "version": "prior to 7.39.6",
        "status": "affected"
      }
    ]
  }
]

References

jvn.jp/en/jp/JVN37818611/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-35298