CVE ID | |
CVSS SCORE | 4.5, AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
AFFECTED VENDORS |
Alibaba |
AFFECTED PRODUCTS |
Alipay |
VULNERABILITY DETAILS |
This vulnerability allows local attackers to modify requests on affected installations of Alibaba Alipay. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of URL schemes. The issue resides in the improper validation if a URL Scheme was acted upon by a malicious application. An attacker can leverage this vulnerability to steal tokens and manipulate requests in the context of current user. |
ADDITIONAL DETAILS |
This vulnerability is being disclosed publicly without a patch due to lack of vendor response. 08/31/18 - ZDI reported vulnerability to vendor -- Mitigation: |
DISCLOSURE TIMELINE |
|
CREDIT | lilang wu, moony Li and yuchen zhou of Trend Micro |