CWE-939
AllowedImproper Authorization in Handler for Custom URL Scheme
Abstraction: Base · Status: Incomplete
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
36 vulnerabilities reference this CWE, most recent first.
GHSA-H642-MPHJ-Q5V4
Vulnerability from github – Published: 2025-09-05 06:30 – Updated: 2025-09-05 06:30Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.
{
"affected": [],
"aliases": [
"CVE-2025-41408"
],
"database_specific": {
"cwe_ids": [
"CWE-939"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-05T06:15:30Z",
"severity": "MODERATE"
},
"details": "Improper authorization in handler for custom URL scheme issue in \"Yahoo! Shopping\" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack.",
"id": "GHSA-h642-mphj-q5v4",
"modified": "2025-09-05T06:30:29Z",
"published": "2025-09-05T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41408"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN35290164"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JFP9-MPFM-8QC7
Vulnerability from github – Published: 2024-08-29 03:30 – Updated: 2024-08-30 00:31'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user's device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.
{
"affected": [],
"aliases": [
"CVE-2024-41918"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-939"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-29T03:15:05Z",
"severity": "LOW"
},
"details": "\u0027Rakuten Ichiba App\u0027 for Android 12.4.0 and earlier and \u0027Rakuten Ichiba App\u0027 for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user\u0027s device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.",
"id": "GHSA-jfp9-mpfm-8qc7",
"modified": "2024-08-30T00:31:23Z",
"published": "2024-08-29T03:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41918"
},
{
"type": "WEB",
"url": "https://apps.apple.com/jp/app/%E6%A5%BD%E5%A4%A9%E5%B8%82%E5%A0%B4-%E3%81%8A%E8%B2%B7%E3%81%84%E7%89%A9%E3%81%A7%E6%A5%BD%E5%A4%A9%E3%83%9D%E3%82%A4%E3%83%B3%E3%83%88%E3%81%8C%E8%B2%AF%E3%81%BE%E3%82%8B%E4%BE%BF%E5%88%A9%E3%81%AA%E9%80%9A%E8%B2%A9%E3%82%A2%E3%83%97%E3%83%AA/id419267350"
},
{
"type": "WEB",
"url": "https://apps.apple.com/jp/app/id419267350"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN56648919"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=jp.co.rakuten.android\u0026hl=en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JGGQ-6MPJ-9V53
Vulnerability from github – Published: 2024-06-11 21:32 – Updated: 2025-03-01 03:30An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-33606"
],
"database_specific": {
"cwe_ids": [
"CWE-862",
"CWE-939"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T21:15:53Z",
"severity": "HIGH"
},
"details": "An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required to exploit this vulnerability.",
"id": "GHSA-jggq-6mpj-9v53",
"modified": "2025-03-01T03:30:54Z",
"published": "2024-06-11T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33606"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-163-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-MQQ8-FJX9-9QG8
Vulnerability from github – Published: 2024-12-05 03:31 – Updated: 2024-12-05 03:31Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android 6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead the application to access an arbitrary web site via another application installed on the user's device.
{
"affected": [],
"aliases": [
"CVE-2024-54014"
],
"database_specific": {
"cwe_ids": [
"CWE-939"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-05T03:15:14Z",
"severity": "LOW"
},
"details": "Improper authorization in handler for custom URL scheme issue in \u0027Skylark\u0027 App for Android 6.2.13 and earlier and \u0027Skylark\u0027 App for iOS 6.2.13 and earlier allows an attacker to lead the application to access an arbitrary web site via another application installed on the user\u0027s device.",
"id": "GHSA-mqq8-fjx9-9qg8",
"modified": "2024-12-05T03:31:03Z",
"published": "2024-12-05T03:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54014"
},
{
"type": "WEB",
"url": "https://apps.apple.com/jp/app/%E3%81%99%E3%81%8B%E3%81%84%E3%82%89%E3%83%BC%E3%81%8F%E3%82%A2%E3%83%97%E3%83%AA/id906930478"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/jp/JVN03447226"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=jp.co.skylark.app.gusto"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W284-7936-M8J9
Vulnerability from github – Published: 2026-06-09 21:32 – Updated: 2026-06-09 21:32A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.
{
"affected": [],
"aliases": [
"CVE-2026-6445"
],
"database_specific": {
"cwe_ids": [
"CWE-939"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T20:17:02Z",
"severity": "HIGH"
},
"details": "A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.",
"id": "GHSA-w284-7936-m8j9",
"modified": "2026-06-09T21:32:37Z",
"published": "2026-06-09T21:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6445"
},
{
"type": "WEB",
"url": "https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XM5C-4GF9-QF8C
Vulnerability from github – Published: 2026-06-12 21:31 – Updated: 2026-06-12 21:31Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
{
"affected": [],
"aliases": [
"CVE-2026-53407"
],
"database_specific": {
"cwe_ids": [
"CWE-939"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T19:16:29Z",
"severity": "HIGH"
},
"details": "Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.",
"id": "GHSA-xm5c-4gf9-qf8c",
"modified": "2026-06-12T21:31:44Z",
"published": "2026-06-12T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53407"
},
{
"type": "WEB",
"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-26010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Utilize a user prompt pop-up to authorize potentially harmful actions such as those modifying data or dealing with sensitive information.
- When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.
No CAPEC attack patterns related to this CWE.