Published: 2015/11/17  Last Updated: 2015/11/17

Information from Newphoria Corporation

Vulnerability ID:JVN#64625488
Title:applican vulnerable to script injection
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

[Summary]
Script injection vulnerability under specific conditions has been found in applications build by Applican.

[Affected application]
Applications built using Android runtime up to version 1.12.6 or iOS runtime up to version 1.12.3 there’s a spot where a user can perform anchor attachment within WebView.

[Supposed effect]
Possibility of an unsanctioned execution of an Applican API by the malicious party.

[Resolution method]
Update the runtime engine to version 1.13.0. Update the affected application.

[Acknowledgements]
This vulnerability report was sent according to Information Security Early Warning partnership within regulation between our company and IPA with JPCERT/CC.
The information regarding the vulnerability was reported to us by Sprout Inc. Our special thanks to Kenta Suefusa and Tomonori Shiomi of Sprout Inc., and also to anyone involved into Information Security Early Warning partnership.