Published:2025/09/05 Last Updated:2025/09/05
JVN#35290164
"Yahoo! Shopping" App for Android fails to restrict custom URL schemes properly
Overview
"Yahoo! Shopping" App for Android provided by LY Corporation fails to restrict custom URL schemes properly.
Products Affected
- "Yahoo! Shopping" App for Android versions prior to 14.15.0
Description
"Yahoo! Shopping" App for Android provided by LY Corporation contains the following vulnerability.
- Improper authorization in handler for custom URL scheme (CWE-939)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score 4.3
- CVE-2025-41408
Impact
A remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.
Solution
Update the application
Update the application to the latest version according to the information provided by the developer.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2025-41408 |
| JVN iPedia |
JVNDB-2025-000071 |