Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtJulien Ahrens1337DAY-ID-34966
HistorySep 22, 2020 - 12:00 a.m.

Framer Preview 12 Content Injection Vulnerability

2020-09-2200:00:00
Julien Ahrens
0day.today
45

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

39.8%

JSON

Framer Preview version 12 for Android exposes an activity to other apps called “com.framer.viewer.FramerViewActivity”. The purpose of this activity is to show contents of a given URL via an fullscreen overlay to the app user. However, the app does neither enforce any authorization schema on the activity nor does it validate the given URL.

1. ADVISORY INFORMATION
=======================
Product:        Framer Preview
Vendor URL:     https://play.google.com/store/apps/details?id=com.framerjs.android
Type:           Improper Export of Android Application Components [CWE-926]
Date found:     2020-09-06
Date published: 2020-09-22
CVSSv3 Score:   5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVE:            CVE-2020-25203


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
Framer Preview 12


4. INTRODUCTION
===============
Framer Preview is the best way to view and interact with your Framer X and Framer 
Classic projects on Android phones and tablets.

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The "Framer Preview" app for Android exposes an activity to other apps called
"com.framer.viewer.FramerViewActivity". The purpose of this activity is to show
contents of a given URL via an fullscreen overlay to the app user.

However, the app does neither enforce any authorization schema on the activity
nor does it validate the given URL. 

This can be abused by an attacker (malicious app) to load any website/web content 
into the fullscreen overlay. An exemplary exploit could look like the following:

Intent i = new Intent();
i.setComponent(new ComponentName("com.framerjs.android", "com.framer.viewer.FramerViewActivity"));
i.setAction("android.intent.action.VIEW");
i.setData(Uri.parse("https://www.rcesecurity.com"));
startActivity(i);


6. RISK
=======
A malicious app on the same device is able to exploit this vulnerability to lead
the user to any webpage/content. The specific problem here is the assumed trust
boundary between the user having the Framer Preview app installed and what the app
is actually doing/displaying to the user. So if the user sees the app being
loaded and automatically loading another page, it can be assumed that the loaded 
page is also trusted by the user.

Related

prion 1
cve 1
cvelist 1
nvd 1
prion
prion
Code injection
2020-09-25 04:23:00
cve
cve
CVE-2020-25203
2020-09-25 04:23:04
cvelist
cvelist
CVE-2020-25203
2020-09-25 03:55:20
nvd
nvd
CVE-2020-25203
2020-09-25 04:23:04

1.9 Low

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:M/Au:N/C:N/I:P/A:N

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

39.8%

JSON
Related for 1337DAY-ID-34966
prion1cve1cvelist1nvd1