The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.
References
Link | Resource |
---|---|
https://github.com/Ch0pin/security-advisories/security/advisories/GHSA-v39p-88q5-5cvr | Third Party Advisory |
https://hackerone.com/reports/1500614 | Issue Tracking Third Party Advisory |
https://support.tiktok.com/en/safety-hc/reporting-security-vulnerabilities/reporting-the-security-vulnerabilities | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-05-30T13:46:19
Updated: 2022-08-04T13:43:40
Reserved: 2022-04-08T00:00:00
Link: CVE-2022-28799
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-06-02T14:15:46.047
Modified: 2022-12-09T19:33:33.407
Link: CVE-2022-28799
JSON object: View
Redhat Information
No data.
CWE