CVE-2023-51219

{"id": "CVE-2023-51219", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2024-06-03T20:15:08.810", "references": [{"url": "https://news.ycombinator.com/item?id=40776880", "source": "cve@mitre.org"}, {"url": "https://stulle123.github.io/posts/kakaotalk-account-takeover/", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "A deep link validation issue in KakaoTalk 10.4.3 allowed a remote adversary to direct users to run any attacker-controlled JavaScript within a WebView. The impact was further escalated by triggering another WebView that leaked its access token in a HTTP request header. Ultimately, this access token could be used to take over another user's account and read her/his chat messages."}, {"lang": "es", "value": "Un problema de validaci\u00f3n de enlace profundo en KakaoTalk 10.4.3 permiti\u00f3 que un adversario remoto dirigiera a los usuarios a ejecutar cualquier JavaScript controlador de atacante dentro de un WebView. El impacto se intensific\u00f3 a\u00fan m\u00e1s al activar otro WebView que filtr\u00f3 su token de acceso en un encabezado de solicitud HTTP. En \u00faltima instancia, este token de acceso podr\u00eda usarse para hacerse cargo de la cuenta de otro usuario y leer sus mensajes de chat."}], "lastModified": "2024-11-12T20:35:04.087", "sourceIdentifier": "cve@mitre.org"}