PT-2020-12916 · O2 · O2 Business
Published
2020-07-03
·
Updated
2020-07-15
·
CVE-2020-11882
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
O2 Business application version 1.2.0
Description
The O2 Business application for Android exposes the
canvasm.myo2.SplashActivity activity to other applications, which handles deeplinks that can be delivered via links or by directly calling the activity. However, the deeplink format is not properly validated, allowing an attacker to redirect a user to any page and deliver any content to the user.Recommendations
For O2 Business application version 1.2.0, consider disabling the
canvasm.myo2.SplashActivity activity until a patch is available to prevent exploitation. Restrict access to this activity to minimize the risk of redirection attacks. Avoid using deeplinks in the affected application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
O2 Business