PT-2022-26959 · Ntt Docomo+2 · Ntt Docomo +Message App+2

Akaki Tsunoda

·

Published

2022-12-21

·

Updated

2023-01-04

·

CVE-2022-43543

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions KDDI +Message App for Android versions prior to 3.9.2 KDDI +Message App for iOS versions prior to 3.9.4 NTT DOCOMO +Message App for Android versions prior to 54.49.0500 NTT DOCOMO +Message App for iOS versions prior to 3.9.4 SoftBank +Message App for Android versions prior to 12.9.5 SoftBank +Message App for iOS versions prior to 3.9.4
Description The issue is caused by improper handling of Unicode control characters in the +Message App. This allows a crafted text to display misleading web links, potentially leading to spoofed URLs and phishing attacks. The app displays text unprocessed, even when control characters are contained, and the text is shown based on Unicode control character's specifications.
Recommendations For KDDI +Message App for Android versions prior to 3.9.2, update to version 3.9.2 or later. For KDDI +Message App for iOS versions prior to 3.9.4, update to version 3.9.4 or later. For NTT DOCOMO +Message App for Android versions prior to 54.49.0500, update to version 54.49.0500 or later. For NTT DOCOMO +Message App for iOS versions prior to 3.9.4, update to version 3.9.4 or later. For SoftBank +Message App for Android versions prior to 12.9.5, update to version 12.9.5 or later. For SoftBank +Message App for iOS versions prior to 3.9.4, update to version 3.9.4 or later.

Fix

Improper Encoding or Escaping of Output

Weakness Enumeration

CWE-116

Related Identifiers

CVE-2022-43543

Affected Products

Kddi +Message App
Ntt Docomo +Message App
Softbank +Message App