[Japanese]

JVNDB-2015-000135

Photon vulnerable to URL whitelist bypass

Overview

Photon provided by Newphoria Corporation Inc. is an application for Android built using "applican". Photon contains an issue where an arbitrary page may be loaded if the application is launched using the URL-scheme.

Kenta Suefusa and Tomonori Shiomi of Sprout Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Newphoria Corporation
  • Photon for Android versions 1.1 and earlier

Impact

Android version of this app may allow an applican API to be executed if that API has been granted permission in the android manifest.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Newphoria Corporation
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-5637
References

  1. JVN : JVN#19948778
  2. National Vulnerability Database (NVD) : CVE-2015-5637
Revision History

[2015/09/16]
  Web page was published
[2015/10/02]
  References : Content was added