Japan Vulnerability NotesJVN:66422035JVN#66422035: Android Apps developed using Yappli fails to restrict custom URL schemes properly
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
0.002 Low
EPSS
Percentile
57.0%
Yappli provided by Yappli, Inc. is an application development platform.
Android Apps that are developed with Yappli provide the function to access a requested URL using Custom URL Scheme.
The access to the function is not restricted properly (CWE-939) which may be exploited to direct the App to connect to unintended sites.
Impact
When accessing a malicious website containing a specially crafted URL, the vulnerable app may be directed to connect to some unintended site.
As a result, the app’s internal information may be leaked and/or altered.
Solution
Solution for developers of affected applications
Rebuild the application in the latest development environment. Until the rebuilt version is published, remove the affected version from an application store.
Solution for users of affected applications
Please inquire the application developer.
Products Affected
- Android Apps that are developed in Yappli since v7.3.6 and prior to v9.30.0
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
0.002 Low
EPSS
Percentile
57.0%