CVE-2022-41797

Description

Improper authorization in handler for custom URL scheme vulnerability in Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

ByteDance K.K. / Lemon8 App for Android and Lemon8 App for iOSLemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5 – Lemon8 App for Android versions prior to 3.3.5 and Lemon8 App for iOS versions prior to 3.3.5

References

MISChttps://play.google.com/store/apps/details?id=com.bd.nproject&hl=ja&gl=US
VENDOR_ADVISORYhttps://apps.apple.com/jp/app/lemon8/id1498607143
MISChttps://jvn.jp/en/jp/JVN10921428/index.html