CVE-2019-16681

Name of the Vulnerable Software and Affected Versions Traveloka application version 3.14.0

Description The issue allows for the opening of arbitrary URLs, potentially injecting deceptive content into the UI. When in physical possession of the device, it is also possible to open local files. The vendor has stated that the issue is not critical as it does not allow elevation of privilege, sensitive data leakage, or critical unauthorized activity from a malicious user, and requires the installation of a malicious APK.

Recommendations For Traveloka application version 3.14.0, consider restricting access to the com.traveloka.android.activity.common.WebViewActivity component to minimize the risk of exploitation. As a temporary workaround, avoid using the application for sensitive activities until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.