Vulnerabilities > CVE-2024-41918 - Missing Authorization vulnerability in Rakuten Ichiba

CVSS 6.1 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

rakuten

CWE-862

NVD

Published: 2024-08-29

Updated: 2024-08-30

Summary

'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user's device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.

Vulnerable Configurations

Part	Description	Count
Application	Rakuten Rakuten Ichiba *	2

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://play.google.com/store/apps/details?id=jp.co.rakuten.android&hl=en
https://jvn.jp/en/jp/JVN56648919/
https://apps.apple.com/jp/app/id419267350