| CVE ID | |
| CVSS SCORE | 4.5, AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
| AFFECTED VENDORS |
Tencent |
| AFFECTED PRODUCTS |
Wechat |
| VULNERABILITY DETAILS |
This vulnerability allows local attackers to modify requests on vulnerable installations of Tencent WeChat. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of URL schemes. The issue resides in the improper validation if a URL Scheme was acted upon by a malicious application. An attacker can leverage this vulnerability to steal tokens and manipulate requests in the context of current user. |
| ADDITIONAL DETAILS |
This issue was resolved and fixed on the server side. Hence, no patch version number is available. |
| DISCLOSURE TIMELINE |
|
| CREDIT | lilang wu, moony Li and yuchen zhou of Trend Micro |
