CVE-2024-27086

Name of the Vulnerable Software and Affected Versions MSAL.NET versions 4.48.0 through 4.60.0

Description A malicious application running on a customer Android device can cause local denial of service against applications that were built using MSAL.NET for authentication on the same device, due to incorrect activity export configuration. This can prevent the user of the legitimate application from logging in. Additionally, a malicious application can inject HTML/JavaScript in an embedded web view exported by affected applications.

Recommendations For MSAL.NET versions 4.48.0 through 4.60.0, update to MSAL.NET version 4.60.1 or later to resolve the issue. As a temporary workaround, developers may explicitly mark the MSAL.NET activity non-exported by setting android:exported="false" in the activity configuration.