Description
Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://jvn.jp/en/jp/JVN49465877/index.html
Scores
CVSS v3
7.5
EPSS
0.0133
EPSS Percentile
67.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-862
Status
published
Products (1)
mercari/mercari
< 4.49.1
Published
Nov 24, 2021
Tracked Since
Feb 18, 2026