"ZOZOTOWN" App for Android fails to restrict custom URL schemes properly


"ZOZOTOWN" App for Android provided by ZOZO, Inc. provides the function to access a URL requested via Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products

ZOZO, Inc.
  • "ZOZOTOWN " App for Android versions prior to 7.39.6


A remote attacker may lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

[Update the Application]
Update the application to the latest version according to the information provided by the developer.
The developer has released the following version that fixes the vulnerability.

"ZOZOTOWN" App for Android version 7.39.6
Vendor Information

ZOZO, Inc.
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2024-35298

  1. JVN : JVN#37818611
Revision History

  • [2024/06/19]
      Web page was published