back to overview print

Cross-App Scripting vulnerability in a mobile app of an international smart home device manufacturer allowed an attacker to load arbitrary URLs inside the android app via an app deeplink

Other

NTCF:
NTCF-2024-91121

Product:
Classified

Vendor:
Classified

Criticality:
low

Status:
fixed

Discovered:
2024-06-17

Detail:
Classified

Description

In accordance with the NTC Vulnerability Disclosure Policy, the details of this vulnerability will not be publicly disclosed.

Neither the product and vendor name nor a detailed description of the vulnerability will be publicly released if all of the following conditions are met:

the vendor fixes the vulnerability without requiring any action by the affected parties (e.g. a cloud service where the user is not required to install patches)
there is no indication that the vulnerability has been exploited (e.g. in the log files)

Further details may be provided on request. Please use the contact form.

2024-06-17: initial discovery

2024-06-19: first contact to vendor

2024-07-09: private disclosure to vendor

2024-07-19: fix by vendor

2024-07-24: public disclosure

Cross-App Scripting vulnerability in a mobile app of an international smart home device manufacturer allowed an attacker to load arbitrary URLs inside the android app via an app deeplink

Description

Timeline