Search criteria
9 vulnerabilities found for mercari by mercari
FKIE_CVE-2024-23388
Vulnerability from fkie_nvd - Published: 2024-01-26 07:15 - Updated: 2025-06-03 18:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN70818619/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN70818619/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mercari:mercari:*:*:*:*:*:android:*:*",
"matchCriteriaId": "C2EF5FC4-4F02-4A63-9D90-8740949133EA",
"versionEndExcluding": "5.78.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme issue in \"Mercari\" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack."
},
{
"lang": "es",
"value": "La autorizaci\u00f3n inadecuada en el controlador para un problema de esquema de URL personalizado en la aplicaci\u00f3n \"Mercari\" para Android anterior a la versi\u00f3n 5.78.0 permite a un atacante remoto llevar a un usuario a acceder a un sitio web arbitrario a trav\u00e9s de la aplicaci\u00f3n vulnerable. Como resultado, el usuario puede convertirse en v\u00edctima de un ataque de phishing."
}
],
"id": "CVE-2024-23388",
"lastModified": "2025-06-03T18:15:24.103",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-01-26T07:15:59.320",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70818619/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN70818619/"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-20835
Vulnerability from fkie_nvd - Published: 2021-11-24 16:15 - Updated: 2024-11-21 05:47
Severity ?
Summary
Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN49465877/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN49465877/index.html | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mercari:mercari:*:*:*:*:*:android:*:*",
"matchCriteriaId": "AD3E0EAD-AADA-4EFF-9663-CD638377A02F",
"versionEndExcluding": "4.49.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme vulnerability in Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account\u0027s access token being obtained."
},
{
"lang": "es",
"value": "Una autorizaci\u00f3n inapropiada en el manejador para la vulnerabilidad del esquema de URL personalizado en la aplicaci\u00f3n Android \"Mercari (Merpay) - Marketplace and Mobile Payments App\" (versi\u00f3n de Jap\u00f3n) versiones anteriores a la 4.49.1, permite a un atacante remoto conllevar a un usuario a acceder a un sitio web arbitrario y el sitio web lanza una actividad arbitraria de la aplicaci\u00f3n por medio de la aplicaci\u00f3n vulnerable, lo que puede resultar en una obtenci\u00f3n del token de acceso de la cuenta Mercari"
}
],
"id": "CVE-2021-20835",
"lastModified": "2024-11-21T05:47:15.110",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-24T16:15:12.970",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-5604
Vulnerability from fkie_nvd - Published: 2020-07-09 02:15 - Updated: 2024-11-21 05:34
Severity ?
Summary
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
References
| URL | Tags | ||
|---|---|---|---|
| vultures@jpcert.or.jp | https://jvn.jp/en/jp/JVN93167107/index.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jvn.jp/en/jp/JVN93167107/index.html | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mercari:mercari:*:*:*:*:*:android:*:*",
"matchCriteriaId": "58AD0B84-89D0-42CB-873F-F3D52C90DE39",
"versionEndExcluding": "3.52.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Android App \u0027Mercari\u0027 (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n Android \u0027Mercari\u0027 (versi\u00f3n japonesa) anterior a la versi\u00f3n 3.52.0 permite la ejecuci\u00f3n de un m\u00e9todo arbitrario de un objeto Java por parte de un atacante remoto a trav\u00e9s de un ataque Man-In-The-Middle utilizando la API de Java Reflection de c\u00f3digo JavaScript en WebView"
}
],
"id": "CVE-2020-5604",
"lastModified": "2024-11-21T05:34:20.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-09T02:15:10.527",
"references": [
{
"source": "vultures@jpcert.or.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
}
],
"sourceIdentifier": "vultures@jpcert.or.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-23388 (GCVE-0-2024-23388)
Vulnerability from cvelistv5 – Published: 2024-01-26 07:07 – Updated: 2025-06-03 17:57
VLAI?
Summary
Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
Severity ?
6.1 (Medium)
CWE
- Improper authorization in handler for custom URL scheme
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mercari, Inc. | "Mercari" App for Android |
Affected:
prior to version 5.78.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:24.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70818619/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-26T18:14:22.384453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T17:57:30.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "\"Mercari\" App for Android",
"vendor": "Mercari, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to version 5.78.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme issue in \"Mercari\" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization in handler for custom URL scheme",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-26T07:07:23.529Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN70818619/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-23388",
"datePublished": "2024-01-26T07:07:23.529Z",
"dateReserved": "2024-01-16T05:50:38.250Z",
"dateUpdated": "2025-06-03T17:57:30.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20835 (GCVE-0-2021-20835)
Vulnerability from cvelistv5 – Published: 2021-11-24 08:25 – Updated: 2024-08-03 17:53
VLAI?
Summary
Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.
Severity ?
No CVSS data available.
CWE
- Improper Authorization in Handler for Custom URL Scheme
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mercari, Inc. | Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) |
Affected:
versions prior to 4.49.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version)",
"vendor": "Mercari, Inc.",
"versions": [
{
"status": "affected",
"version": "versions prior to 4.49.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme vulnerability in Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account\u0027s access token being obtained."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization in Handler for Custom URL Scheme",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T08:25:38",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20835",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version)",
"version": {
"version_data": [
{
"version_value": "versions prior to 4.49.1"
}
]
}
}
]
},
"vendor_name": "Mercari, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper authorization in handler for custom URL scheme vulnerability in Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account\u0027s access token being obtained."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization in Handler for Custom URL Scheme"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/jp/JVN49465877/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20835",
"datePublished": "2021-11-24T08:25:38",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:23.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5604 (GCVE-0-2020-5604)
Vulnerability from cvelistv5 – Published: 2020-07-09 01:05 – Updated: 2024-08-04 08:30
VLAI?
Summary
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
Severity ?
No CVSS data available.
CWE
- Exposed Dangerous Method or Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mercari, Inc. | Android App 'Mercari' (Japan version) |
Affected:
prior to version 3.52.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Android App \u0027Mercari\u0027 (Japan version)",
"vendor": "Mercari, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to version 3.52.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Android App \u0027Mercari\u0027 (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposed Dangerous Method or Function",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T15:38:26",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Android App \u0027Mercari\u0027 (Japan version)",
"version": {
"version_data": [
{
"version_value": "prior to version 3.52.0"
}
]
}
}
]
},
"vendor_name": "Mercari, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Android App \u0027Mercari\u0027 (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Exposed Dangerous Method or Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/jp/JVN93167107/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5604",
"datePublished": "2020-07-09T01:05:20",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:30:24.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23388 (GCVE-0-2024-23388)
Vulnerability from nvd – Published: 2024-01-26 07:07 – Updated: 2025-06-03 17:57
VLAI?
Summary
Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.
Severity ?
6.1 (Medium)
CWE
- Improper authorization in handler for custom URL scheme
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mercari, Inc. | "Mercari" App for Android |
Affected:
prior to version 5.78.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:24.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN70818619/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-23388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-26T18:14:22.384453Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T17:57:30.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "\"Mercari\" App for Android",
"vendor": "Mercari, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to version 5.78.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme issue in \"Mercari\" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper authorization in handler for custom URL scheme",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-26T07:07:23.529Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://jvn.jp/en/jp/JVN70818619/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2024-23388",
"datePublished": "2024-01-26T07:07:23.529Z",
"dateReserved": "2024-01-16T05:50:38.250Z",
"dateUpdated": "2025-06-03T17:57:30.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20835 (GCVE-0-2021-20835)
Vulnerability from nvd – Published: 2021-11-24 08:25 – Updated: 2024-08-03 17:53
VLAI?
Summary
Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.
Severity ?
No CVSS data available.
CWE
- Improper Authorization in Handler for Custom URL Scheme
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mercari, Inc. | Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) |
Affected:
versions prior to 4.49.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:23.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version)",
"vendor": "Mercari, Inc.",
"versions": [
{
"status": "affected",
"version": "versions prior to 4.49.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization in handler for custom URL scheme vulnerability in Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account\u0027s access token being obtained."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Authorization in Handler for Custom URL Scheme",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T08:25:38",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20835",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version)",
"version": {
"version_data": [
{
"version_value": "versions prior to 4.49.1"
}
]
}
}
]
},
"vendor_name": "Mercari, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Improper authorization in handler for custom URL scheme vulnerability in Android App \u0027Mercari (Merpay) - Marketplace and Mobile Payments App\u0027 (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account\u0027s access token being obtained."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Authorization in Handler for Custom URL Scheme"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/jp/JVN49465877/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN49465877/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20835",
"datePublished": "2021-11-24T08:25:38",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:23.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5604 (GCVE-0-2020-5604)
Vulnerability from nvd – Published: 2020-07-09 01:05 – Updated: 2024-08-04 08:30
VLAI?
Summary
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
Severity ?
No CVSS data available.
CWE
- Exposed Dangerous Method or Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Mercari, Inc. | Android App 'Mercari' (Japan version) |
Affected:
prior to version 3.52.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Android App \u0027Mercari\u0027 (Japan version)",
"vendor": "Mercari, Inc.",
"versions": [
{
"status": "affected",
"version": "prior to version 3.52.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Android App \u0027Mercari\u0027 (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposed Dangerous Method or Function",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-09T15:38:26",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Android App \u0027Mercari\u0027 (Japan version)",
"version": {
"version_data": [
{
"version_value": "prior to version 3.52.0"
}
]
}
}
]
},
"vendor_name": "Mercari, Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Android App \u0027Mercari\u0027 (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remote attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Exposed Dangerous Method or Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/en/jp/JVN93167107/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN93167107/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5604",
"datePublished": "2020-07-09T01:05:20",
"dateReserved": "2020-01-06T00:00:00",
"dateUpdated": "2024-08-04T08:30:24.580Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}