Vulnerability Details : CVE-2022-28799
The TikTok application before 23.7.3 for Android allows account takeover. A crafted URL (unvalidated deeplink) can force the com.zhiliaoapp.musically WebView to load an arbitrary website. This may allow an attacker to leverage an attached JavaScript interface for the takeover with one click.
Products affected by CVE-2022-28799
- cpe:2.3:a:tiktok:tiktok:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-28799
2.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-28799
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2022-28799
-
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-28799
-
https://hackerone.com/reports/1500614
#1500614 One Click Account Hijacking via Unvalidated DeeplinkIssue Tracking;Third Party Advisory
-
https://support.tiktok.com/en/safety-hc/reporting-security-vulnerabilities/reporting-the-security-vulnerabilities
Report security vulnerabilities | TikTok Help CenterThird Party Advisory
-
https://github.com/Ch0pin/security-advisories/security/advisories/GHSA-v39p-88q5-5cvr
Direct Request ('Forced Browsing') in com.zhiliaoapp.musically can lead to user account hijacking · Advisory · Ch0pin/security-advisories · GitHubThird Party Advisory
Jump to