Today > | 3 Medium vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-5739

June 12, 2024, 9:15 a.m.

CVSS Score

6.1 / 10

Product(s) Impacted

LINE for iOS

  • below 14.9.0

LINE client for iOS

  • below 14.9.0

Description

The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app browser. The in-app browser is usually opened by tapping on URLs contained in chat messages, and for the attack to be successful, the victim must trigger a click event on a malicious iframe. If an iframe embedded in any website can be controlled by an attacker, this vulnerability could be exploited to capture or alter content displayed in the top frame, as well as user session information. This vulnerability affects LINE client for iOS versions below 14.9.0 and does not affect other LINE clients such as LINE client for Android. Please update LINE client for iOS to version 14.9.0 or higher.

Weaknesses

Date

Published: June 12, 2024, 7:15 a.m.

Last Modified: June 12, 2024, 9:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

dl_cve@linecorp.com

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score
6.1
Exploitability Score
Impact Score
Base Severity
MEDIUM
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

https://hackerone.com/ dl_cve@linecorp.com