CVE-2024-5739

{"id": "CVE-2024-5739", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "dl_cve@linecorp.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-06-12T07:15:51.650", "references": [{"url": "https://hackerone.com/reports/2284129", "source": "dl_cve@linecorp.com"}, {"url": "https://hackerone.com/reports/2284129", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app browser. The in-app browser is usually opened by tapping on URLs contained in chat messages, and for the attack to be successful, the victim must trigger a click event on a malicious iframe. If an iframe embedded in any website can be controlled by an attacker, this vulnerability could be exploited to capture or alter content displayed in the top frame, as well as user session information. This vulnerability affects LINE client for iOS versions below 14.9.0 and does not affect other LINE clients such as LINE client for Android. Please update LINE client for iOS to version 14.9.0 or higher."}, {"lang": "es", "value": "El navegador integrado en la aplicaci\u00f3n del cliente LINE para versiones de iOS inferiores a 14.9.0 contiene una vulnerabilidad Universal XSS (UXSS). Esta vulnerabilidad permite cross-site scripting (XSS), donde se puede ejecutar JavaScript arbitrario en el framework superior desde un iframe incrustado en cualquier sitio web mostrado dentro del navegador de la aplicaci\u00f3n. El navegador de la aplicaci\u00f3n generalmente se abre tocando las URL contenidas en los mensajes de chat y, para que el ataque tenga \u00e9xito, la v\u00edctima debe activar un evento de clic en un iframe malicioso. Si un atacante puede controlar un iframe incrustado en cualquier sitio web, esta vulnerabilidad podr\u00eda aprovecharse para capturar o alterar el contenido que se muestra en el framework superior, as\u00ed como la informaci\u00f3n de la sesi\u00f3n del usuario. Esta vulnerabilidad afecta al cliente LINE para versiones de iOS inferiores a 14.9.0 y no afecta a otros clientes LINE, como el cliente LINE para Android. Actualice el cliente LINE para iOS a la versi\u00f3n 14.9.0 o superior."}], "lastModified": "2025-03-29T00:15:24.117", "sourceIdentifier": "dl_cve@linecorp.com"}