Published:2024/06/21 Last Updated:2024/06/21
JVNVU#91384468
LINE client for iOS vulnerable to universal cross-site scripting
Overview
The in-app browser of LINE client for iOS contains a universal cross-site scripting vulnerability.
Products Affected
- LINE Client for iOS versions prior to 14.9.0
Description
The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability (CWE-79, CVE-2024-5739).
Impact
If a user clicks a malicious iframe embedded in a website displayed on in-app browser, an arbitrary JavaScript may be executed from the iframe on the domain of the website.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released version 14.9.0 that contains a fix for this vulnerability.
Vendor Status
| Vendor | Link |
| LY Corporation | CVE-2024-5739 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score:
6.1
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.