[Japanese]

JVNDB-2023-000085

"Skylark" App fails to restrict custom URL schemes properly

Overview

"Skylark" App provided by SKYLARK HOLDINGS CO., LTD. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.

Shunsuke Kaneko of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.6 (Low) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


SKYLARK HOLDINGS CO., LTD.
  • Skylark App for Android versions 6.2.13 and earlier
  • Skylark App for iOS versions 6.2.13 and earlier

Impact

An arbitrary site may be displayed on the WebView of the product by using another application installed on the user's device. As a result, the user may be redirected to a malicious site.
Solution

[Update the application]
Update the application to the latest version according to the information provided by the developer.
Vendor Information

SKYLARK HOLDINGS CO., LTD.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-40530
References

  1. JVN : JVN#03447226
  2. National Vulnerability Database (NVD) : CVE-2023-40530
Revision History

  • [2023/08/24]
      Web page published
  • [2024/05/15]
      References : Content was added