Published:2021/06/02 Last Updated:2021/06/02
JVN#91691168
goo blog App fails to restrict custom URL schemes properly
Overview
goo blog App fails to restrict custom URL schemes properly.
Products Affected
- goo blog App for Android ver.1.2.25 and earlier
- goo blog App for iOS ver.1.3.3 and earlier
Description
goo blog App by NTT Resonant Incorporated provides the function to access a requested URL using Custom URL Scheme.
The App does not restrict access to the function properly (CWE-284) which may be exploited to direct the App to access any sites.
Impact
A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
Solution
Update the Application
Update the application to the latest version according to the information provided by the developer.
The developer has released the following versions.
- goo blog App for Android ver.1.2.26
- goo blog App for iOS ver.1.3.4
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
NTT Resonant Incorporated | Vulnerable | 2021/06/02 | NTT Resonant Incorporated website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Base Score:
4.3
CVSS v2
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score:
4.3
Credit
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2021-20728 |
JVN iPedia |
JVNDB-2021-000045 |