Lucene search

K
jvnJapan Vulnerability NotesJVN:70818619
HistoryJan 24, 2024 - 12:00 a.m.

JVN#70818619: "Mercari" App for Android fails to restrict custom URL schemes properly

2024-01-2400:00:00
Japan Vulnerability Notes
jvn.jp
11
android app
remote attacker
arbitrary website
phishing attack
mercari
custom url scheme
update application
cve-939
security vulnerability

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

25.2%

“Mercari” App for Android by Mercari, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.

Impact

A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

Solution

Update the Application
Update the application to the latest version according to the information provided by the developer.

Products Affected

  • “Mercari” App for Android prior to version 5.78.0

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

25.2%

Related for JVN:70818619