A cross-app scripting vulnerability in the Arenti Android app allowed an attacker to show an arbitrary website in the context of the app
Surveillance
NTCF:
NTCF-2024-21800
Product:
Arenti
Vendor:
Hangzhou Arenti Technology Co., Ltd.
Criticality:
low
Status:
fixed
Discovered:
2024-07-04
Detail:
Public
Vulnerable version:
<4.5.2
Fixed version:
4.5.2
Description
The Arenti Android app was vulnerable to cross-app scripting prior to version 4.5.2.
All users are advised to update to the latest version available on Google Play: https://play.google.com/store/apps/details?id=com.arenti.smartlife&hl=de_CH
In accordance with NTC Vulnerability Disclosure Policy, no technical details about this vulnerability will be publicly disclosed. Further details may be provided on a case by case basis. Please use the contact form and provide an explanation for your request.
Timeline
2024-07-04: initial discovery
2024-07-26: first contact to vendor
2024-08-19: private disclosure to vendor
2025-01-06: asked for status update and informed vendor about the public disclosure
2025-01-07: fix by vendor
2025-01-07: reply that the emails got lost to technical problems, which were resolve
2025-01-15: public disclosure