Common Weakness Enumeration

CWE-939

Allowed

Improper Authorization in Handler for Custom URL Scheme

Abstraction: Base · Status: Incomplete

The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

36 vulnerabilities reference this CWE, most recent first.

GHSA-H642-MPHJ-Q5V4

Vulnerability from github – Published: 2025-09-05 06:30 – Updated: 2025-09-05 06:30
VLAI
Details

Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-41408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-939"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T06:15:30Z",
    "severity": "MODERATE"
  },
  "details": "Improper authorization in handler for custom URL scheme issue in \"Yahoo! Shopping\" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.",
  "id": "GHSA-h642-mphj-q5v4",
  "modified": "2025-09-05T06:30:29Z",
  "published": "2025-09-05T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41408"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN35290164"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JFP9-MPFM-8QC7

Vulnerability from github – Published: 2024-08-29 03:30 – Updated: 2024-08-30 00:31
VLAI
Details

'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user's device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41918"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-939"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-29T03:15:05Z",
    "severity": "LOW"
  },
  "details": "\u0027Rakuten Ichiba App\u0027 for Android 12.4.0 and earlier and \u0027Rakuten Ichiba App\u0027 for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user\u0027s device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.",
  "id": "GHSA-jfp9-mpfm-8qc7",
  "modified": "2024-08-30T00:31:23Z",
  "published": "2024-08-29T03:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41918"
    },
    {
      "type": "WEB",
      "url": "https://apps.apple.com/jp/app/%E6%A5%BD%E5%A4%A9%E5%B8%82%E5%A0%B4-%E3%81%8A%E8%B2%B7%E3%81%84%E7%89%A9%E3%81%A7%E6%A5%BD%E5%A4%A9%E3%83%9D%E3%82%A4%E3%83%B3%E3%83%88%E3%81%8C%E8%B2%AF%E3%81%BE%E3%82%8B%E4%BE%BF%E5%88%A9%E3%81%AA%E9%80%9A%E8%B2%A9%E3%82%A2%E3%83%97%E3%83%AA/id419267350"
    },
    {
      "type": "WEB",
      "url": "https://apps.apple.com/jp/app/id419267350"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN56648919"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=jp.co.rakuten.android\u0026hl=en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JGGQ-6MPJ-9V53

Vulnerability from github – Published: 2024-06-11 21:32 – Updated: 2025-03-01 03:30
VLAI
Details

An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862",
      "CWE-939"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-11T21:15:53Z",
    "severity": "HIGH"
  },
  "details": "An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.",
  "id": "GHSA-jggq-6mpj-9v53",
  "modified": "2025-03-01T03:30:54Z",
  "published": "2024-06-11T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33606"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-163-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-MQQ8-FJX9-9QG8

Vulnerability from github – Published: 2024-12-05 03:31 – Updated: 2024-12-05 03:31
VLAI
Details

Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android 6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead the application to access an arbitrary web site via another application installed on the user's device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-939"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-05T03:15:14Z",
    "severity": "LOW"
  },
  "details": "Improper authorization in handler for custom URL scheme issue in \u0027Skylark\u0027 App for Android 6.2.13 and earlier and \u0027Skylark\u0027 App for iOS 6.2.13 and earlier allows an attacker to lead the application to access an arbitrary web site via another application installed on the user\u0027s device.",
  "id": "GHSA-mqq8-fjx9-9qg8",
  "modified": "2024-12-05T03:31:03Z",
  "published": "2024-12-05T03:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54014"
    },
    {
      "type": "WEB",
      "url": "https://apps.apple.com/jp/app/%E3%81%99%E3%81%8B%E3%81%84%E3%82%89%E3%83%BC%E3%81%8F%E3%82%A2%E3%83%97%E3%83%AA/id906930478"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN03447226"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=jp.co.skylark.app.gusto"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W284-7936-M8J9

Vulnerability from github – Published: 2026-06-09 21:32 – Updated: 2026-06-09 21:32
VLAI
Details

A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6445"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-939"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-09T20:17:02Z",
    "severity": "HIGH"
  },
  "details": "A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.",
  "id": "GHSA-w284-7936-m8j9",
  "modified": "2026-06-09T21:32:37Z",
  "published": "2026-06-09T21:32:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6445"
    },
    {
      "type": "WEB",
      "url": "https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XM5C-4GF9-QF8C

Vulnerability from github – Published: 2026-06-12 21:31 – Updated: 2026-06-12 21:31
VLAI
Details

Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-939"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-12T19:16:29Z",
    "severity": "HIGH"
  },
  "details": "Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.",
  "id": "GHSA-xm5c-4gf9-qf8c",
  "modified": "2026-06-12T21:31:44Z",
  "published": "2026-06-12T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53407"
    },
    {
      "type": "WEB",
      "url": "https://www.zoom.com/en/trust/security-bulletin/zsb-26010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Utilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information.
  • When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.

No CAPEC attack patterns related to this CWE.