LINE In-App Browser Vulnerable to Universal XSS Attacks
CVE-2024-5739

6.1MEDIUM

Key Information:

Vendor: Line Corporation
Status: Line Client For iOS
Vendor: CVE Published:; 12 June 2024

Summary

The in-app browser of the LINE client for iOS prior to version 14.9.0 is susceptible to a Universal XSS (UXSS) vulnerability. This flaw enables attackers to execute arbitrary JavaScript within the top frame from an embedded iframe on any website viewed in the in-app browser. Typically initiated by tapping URLs in chat messages, this vulnerability allows for potential manipulation of displayed content and user session information if the victim inadvertently interacts with a malicious iframe. It is crucial for users of LINE client for iOS to update to version 14.9.0 or later to mitigate exposure to this risk. Other LINE client versions, such as those for Android, are not affected.

Affected Version(s)

LINE client for iOS 14.0.0 < 14.9.0

References

https://hackerone.com/reports/2284129

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jun 12, 2024
Vulnerability Reserved
Jun 7, 2024