JVN#08430039
"Shonen Jump+" App for Android fails to restrict custom URL schemes properly
Overview
"Shonen Jump+" App for Android provided by SHUEISHA INC. fails to restrict custom URL schemes properly.
Products Affected
- "Shonen Jump+" App for Android versions prior to 4.0.0
Description
"Shonen Jump+" App for Android provided by SHUEISHA INC. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.
Impact
A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
Solution
Update the Application
Update the application to the latest version according to the information provided by the developer.
The developer states there is no need for users to take any actions since the application is automatically updated when it is launched.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Toshiki Iwasaki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-54125 |
| JVN iPedia |
JVNDB-2024-000127 |