jvndb - jvndb-2024-000065

jvndb-2024-000065

Vulnerability from jvndb

Published

2024-06-19 16:04

Modified

2024-06-19 16:04

Severity ?

4.3 (Medium) - cvssV3_0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

"ZOZOTOWN" App for Android fails to restrict custom URL schemes properly

Details

"ZOZOTOWN" App for Android provided by ZOZO, Inc. provides the function to access a URL requested via Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.

References

Type

URL

	JVN	https://jvn.jp/en/jp/JVN37818611/index.html
	CVE	https://www.cve.org/CVERecord?id=CVE-2024-35298
	Permissions(CWE-264)	https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html

Impacted products

Vendor

Product

"ZOZOTOWN " App for Android

Show details on JVN DB website

To clipboard

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000065.html",
  "dc:date": "2024-06-19T16:04+09:00",
  "dcterms:issued": "2024-06-19T16:04+09:00",
  "dcterms:modified": "2024-06-19T16:04+09:00",
  "description": "\"ZOZOTOWN\" App for Android provided by ZOZO, Inc. provides the function to access a URL requested via Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.",
  "link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000065.html",
  "sec:cpe": {
    "#text": "cpe:/a:misc:zozo_android_app_zozotown",
    "@product": "\"ZOZOTOWN \" App for Android",
    "@vendor": "ZOZO, Inc.",
    "@version": "2.2"
  },
  "sec:cvss": {
    "@score": "4.3",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
    "@version": "3.0"
  },
  "sec:identifier": "JVNDB-2024-000065",
  "sec:references": [
    {
      "#text": "https://jvn.jp/en/jp/JVN37818611/index.html",
      "@id": "JVN#37818611",
      "@source": "JVN"
    },
    {
      "#text": "https://www.cve.org/CVERecord?id=CVE-2024-35298",
      "@id": "CVE-2024-35298",
      "@source": "CVE"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-264",
      "@title": "Permissions(CWE-264)"
    }
  ],
  "title": "\"ZOZOTOWN\" App for Android fails to restrict custom URL schemes properly"
}

CVE-2024-35298 (GCVE-0-2024-35298)

Vulnerability from cvelistv5

Published

2024-06-19 05:07

Modified

2024-08-02 03:07

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE

Improper authorization in handler for custom URL scheme

Summary

Improper authorization in handler for custom URL scheme issue in 'ZOZOTOWN' App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another application installed on the user's device. As a result, the user may become a victim of a phishing attack.

References

URL

Tags

https://jvn.jp/en/jp/JVN37818611/

Impacted products

	Vendor	Product	Version
	ZOZO, Inc.	'ZOZOTOWN' App for Android	Version: prior to 7.39.6

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-35298",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-21T14:53:53.152547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-939",
                "description": "CWE-939 Improper Authorization in Handler for Custom URL Scheme",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-21T14:56:33.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:07:46.969Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN37818611/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "\u0027ZOZOTOWN\u0027 App for Android",
          "vendor": "ZOZO, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 7.39.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper authorization in handler for custom URL scheme issue in \u0027ZOZOTOWN\u0027 App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another application installed on the user\u0027s device. As a result, the user may become a victim of a phishing attack."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper authorization in handler for custom URL scheme",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-19T05:07:24.711Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://jvn.jp/en/jp/JVN37818611/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2024-35298",
    "datePublished": "2024-06-19T05:07:24.711Z",
    "dateReserved": "2024-05-16T06:34:27.048Z",
    "dateUpdated": "2024-08-02T03:07:46.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.