All the vulnerabilites related to Mercari Co., Ltd. - Mercari
jvndb-2020-000043
Vulnerability from jvndb
Published
2020-07-08 16:04
Modified
2020-07-08 16:04
Severity ?
Summary
Android App "Mercari" (Japan version) vulnerable to arbitrary method execution of the Java object
Details
Android App "Mercari" (Japan version) provided by Mercari, Inc. contains vulnerability that an arbitrary Java method execution (CWE-749) due to inadequate restrictions on addJavascriptInterface of WebView class.
Taichi Kotake of Akatsuki Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mercari Co., Ltd. | Mercari |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000043.html",
"dc:date": "2020-07-08T16:04+09:00",
"dcterms:issued": "2020-07-08T16:04+09:00",
"dcterms:modified": "2020-07-08T16:04+09:00",
"description": "Android App \"Mercari\" (Japan version) provided by Mercari, Inc. contains vulnerability that an arbitrary Java method execution (CWE-749) due to inadequate restrictions on addJavascriptInterface of WebView class.\r\n\r\nTaichi Kotake of Akatsuki Inc. reported this vulnerability to IPA.\r\n JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2020/JVNDB-2020-000043.html",
"sec:cpe": {
"#text": "cpe:/a:mercari:mercari",
"@product": "Mercari",
"@vendor": "Mercari Co., Ltd.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2020-000043",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN93167107/index.html",
"@id": "JVN#93167107",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5604",
"@id": "CVE-2020-5604",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2020-5604",
"@id": "CVE-2020-5604",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-Other",
"@title": "No Mapping(CWE-Other)"
}
],
"title": "Android App \"Mercari\" (Japan version) vulnerable to arbitrary method execution of the Java object"
}
jvndb-2024-000005
Vulnerability from jvndb
Published
2024-01-24 13:46
Modified
2024-03-04 18:01
Severity ?
Summary
"Mercari" App for Android fails to restrict custom URL schemes properly
Details
"Mercari" App for Android by Mercari, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.
Shiga Takuma of BroadBand Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mercari Co., Ltd. | Mercari |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000005.html",
"dc:date": "2024-03-04T18:01+09:00",
"dcterms:issued": "2024-01-24T13:46+09:00",
"dcterms:modified": "2024-03-04T18:01+09:00",
"description": "\"Mercari\" App for Android by Mercari, Inc. provides the function to access a requested URL using Custom URL Scheme. The App does not restrict access to the function properly (CWE-939) which may be exploited to direct the App to access any sites.\r\n\r\nShiga Takuma of BroadBand Security Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2024/JVNDB-2024-000005.html",
"sec:cpe": {
"#text": "cpe:/a:mercari:mercari",
"@product": "Mercari",
"@vendor": "Mercari Co., Ltd.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "3.3",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2024-000005",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN70818619/index.html",
"@id": "JVN#70818619",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2024-23388",
"@id": "CVE-2024-23388",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2024-23388",
"@id": "CVE-2024-23388",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "\"Mercari\" App for Android fails to restrict custom URL schemes properly"
}
jvndb-2021-000096
Vulnerability from jvndb
Published
2021-10-29 15:11
Modified
2021-10-29 15:11
Severity ?
Summary
Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) vulnerable to improper handling of Intent
Details
Android App "Mercari (Merpay) - Marketplace and Mobile Payments App" (Japan version) provided by Mercari, Inc. is vulnerable to improper handling of Intent (CWE-939).
RyotaK reported this vulnerability to Mercari, Inc. and Mercari, Inc. reported it to JPCERT/CC to disclose the vulnerability through JVN.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Mercari Co., Ltd. | Mercari |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000096.html",
"dc:date": "2021-10-29T15:11+09:00",
"dcterms:issued": "2021-10-29T15:11+09:00",
"dcterms:modified": "2021-10-29T15:11+09:00",
"description": "Android App \"Mercari (Merpay) - Marketplace and Mobile Payments App\" (Japan version) provided by Mercari, Inc. is vulnerable to improper handling of Intent (CWE-939).\r\n\r\nRyotaK reported this vulnerability to Mercari, Inc. and Mercari, Inc. reported it to JPCERT/CC to disclose the vulnerability through JVN.",
"link": "https://jvndb.jvn.jp/en/contents/2021/JVNDB-2021-000096.html",
"sec:cpe": {
"#text": "cpe:/a:mercari:mercari",
"@product": "Mercari",
"@vendor": "Mercari Co., Ltd.",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "7.4",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2021-000096",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN49465877/index.html",
"@id": "JVN#49465877",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20835",
"@id": "CVE-2021-20835",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2021-20835",
"@id": "CVE-2021-20835",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "Android App \"Mercari (Merpay) - Marketplace and Mobile Payments App\" (Japan version) vulnerable to improper handling of Intent"
}