VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 28, 2021· Updated Aug 3, 2024

CVE-2021-20873

CVE-2021-20873

Description

Yappli Android apps v7.3.6 to v9.29.0 have improper Custom URL Scheme authorization, allowing redirection to unintended sites.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Yappli Android apps v7.3.6 to v9.29.0 have improper Custom URL Scheme authorization, allowing redirection to unintended sites.

Vulnerability

Android apps developed with Yappli versions since v7.3.6 and prior to v9.30.0 contain an improper authorization vulnerability in the Custom URL Scheme handler (CWE-939). The app provides a function to access a requested URL via a custom URL scheme, but access to this function is not properly restricted [1].

Exploitation

An attacker can craft a malicious website containing a specially crafted URL. If a user of the vulnerable app visits this website, the app may be directed to connect to unintended sites [1]. The attacker requires no authentication but relies on user interaction (the user must click on the malicious link).

Impact

Successful exploitation could allow an attacker to leak or alter internal information of the vulnerable app. According to the CVSS v3 score, the primary impact is on integrity (high), with no impact on confidentiality or availability [1].

Mitigation

Developers should rebuild the affected application using the latest Yappli development environment (version 9.30.0 or later). Until the rebuilt version is published, remove the affected version from the app store. Users should contact the application developer for guidance [1].

References
  1. Android Apps developed using Yappli fails to restrict custom URL schemes properly

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Yappli/Yapplillm-create
    Range: >=7.3.6, <9.30.0
  • Yappli, Inc./Yappliv5
    Range: versions since v7.3.6 and prior to v9.30.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.