CVE-2019-5955

Vulnerability

CREATE SD official App for Android version 1.0.2 and earlier contains an improper access control vulnerability (CWE-284) in the function that handles URL access via an Intent [1]. The app does not properly restrict which applications can send an Intent to it, allowing any arbitrary app on the device to invoke the vulnerable function [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious Android application that sends a crafted Intent to the CREATE SD official App. The attack requires the attacker to install the malicious app on the user's device or trick the user into installing it [1]. No authentication or special privileges beyond normal Android app permissions are needed. The attacker then uses the Intent to direct the vulnerable app to open an arbitrary URL chosen by the attacker [1].

Impact

A remote attacker can lead the user of the vulnerable app to access an arbitrary website without the user's informed consent. This can be used to conduct phishing attacks, where the user is directed to a malicious site that may steal credentials or other sensitive information [1]. The CVSS v3 score is 3.0 (Low), with vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating limited impact but requiring user interaction [1].

Mitigation

The developer has released an updated version of the application. Users should update to the latest version of CREATE SD official App for Android as provided by the developer [1]. No workarounds beyond updating are described in the available reference.