Second-Order Alert: Incorrectly Allowing Internal Links to Utilize App Scheme for Deeplinking Could Bypass URL Safety Checks
CVE-2024-10474

6.5MEDIUM

Key Information:

Vendor: Mozilla
Status: Focus For iOS
Vendor: CVE Published:; 29 October 2024

Summary

A security issue has been identified in Focus for iOS where the application incorrectly permits internal links to use the app scheme designated for deep linking. This misconfiguration can lead to the circumvention of established URL safety checks, potentially leaving users exposed to security risks if malicious content is linked. The affected versions of Focus are those below 132, indicating a need for immediate updates to ensure secure handling of internal links.

Affected Version(s)

Focus for iOS < 132

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1863832

https://www.mozilla.org/security/advisories/mfsa2024-60/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 29, 2024
Vulnerability Reserved
Oct 28, 2024

Credit

James Lee