Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41797: Lemon8 App fails to restrict access permissions

Improper authorization in handler for custom URL scheme vulnerability in Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

CVE
Open in Source
#vulnerability#web#ios#android#perl#auth

Published:2022/10/19 Last Updated:2022/10/19

Overview

Lemon8 fails to restrict access permissions.

Products Affected

  • Lemon8 App for Android versions prior to 3.3.5
  • Lemon8 App for iOS versions prior to 3.3.5

Description

Lemon8 by ByteDance K.K. provides the function to access a requested URL using Custom URL Scheme/DeepLink. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.

Impact

A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

Solution

Update the Application
Update the application to the latest version according to the information provided by the developer.
The developer has released the following versions:

  • Lemon8 App for Android version 3.3.5
  • Lemon8 App for iOS version 3.3.5

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector(AV)

Physical §

Local (L)

Adjacent (A)

Network (N)

Attack Complexity(AC)

High (H)

Low (L)

Privileges Required(PR)

High (H)

Low (L)

None (N)

User Interaction(UI)

Required ®

None (N)

Scope(S)

Unchanged (U)

Changed ©

Confidentiality Impact©

None (N)

Low (L)

High (H)

Integrity Impact(I)

None (N)

Low (L)

High (H)

Availability Impact(A)

None (N)

Low (L)

High (H)

CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector(AV)

Local (L)

Adjacent Network (A)

Network (N)

Access Complexity(AC)

High (H)

Medium (M)

Low (L)

Authentication(Au)

Multiple (M)

Single (S)

None (N)

Confidentiality Impact©

None (N)

Partial §

Complete ©

Integrity Impact(I)

None (N)

Partial §

Complete ©

Availability Impact(A)

None (N)

Partial §

Complete ©

Credit

Ryo Sato of BroadBand Security,Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE