Japan Vulnerability NotesJVN:37818611JVN#37818611: "ZOZOTOWN" App for Android fails to restrict custom URL schemes properly
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
9.0%
“ZOZOTOWN” App for Android provided by ZOZO, Inc. provides the function to access a URL requested via Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.
Impact
A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
Solution
Update the Application
Update the application to the latest version according to the information provided by the developer.
The developer has released the following version that fixes the vulnerability.
- “ZOZOTOWN” App for Android version 7.39.6
Products Affected
- “ZOZOTOWN” App for Android versions prior to 7.39.6
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
9.0%