Описание
The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.
Ссылки
- Third Party Advisory
- Issue TrackingThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- Issue TrackingThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 23.7.3 (исключая)
cpe:2.3:a:tiktok:tiktok:*:*:*:*:*:android:*:*
EPSS
Процентиль: 85%
0.02669
Низкий
8.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-425
EPSS
Процентиль: 85%
0.02669
Низкий
8.8 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-425