CVE-2019-9140

Published: Aug 1, 2019Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earlier versions doesn't check Deeplink URL correctly. This could lead to javascript code execution, url redirection, sensitive information disclosure. An attacker can exploit this issue by enticing an unsuspecting user to open a specific malicious URL.

Affected (1)

Products: Happypointcard: Happypoint

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Happypointcard Happypoint	Version 6.3.19

Related CWEs

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35103

Source: vuln@krcert.or.kr

Third Party Advisory

https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=35103

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.