CVE-2024-41918

Description

'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user's device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack.

CVSS v3.1 Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weakness Type (CWE)

CWE-862 Missing Authorization

CWE-939 CWE-939

Affected Products

Vendor	Product	Versions
rakuten	ichiba	< 11.7.0
rakuten	ichiba	< 12.4.0

References

Other References

https://apps.apple.com/jp/app/id419267350 https://jvn.jp/en/jp/JVN56648919/ https://play.google.com/store/apps/details?id=jp.co.rakuten.android&hl=en

Frequently Asked Questions

What is CVE-2024-41918? +

'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user's device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack. It has a CVSS v3.1 base score of 6.1 (MEDIUM).

How severe is CVE-2024-41918? +

CVE-2024-41918 has a CVSS v3.1 score of 6.1 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2024-41918? +

CVE-2024-41918 affects products from rakuten, specifically: ichiba. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-41918? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-40570

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` …

CVE-2026-7879

In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses …

CVE-2026-8237

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. …

CVE-2026-33137

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is …

CVE-2026-41128

Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with …

CVE-2024-43662

The <redacted>.exe or <redacted>.exe CGI binary can be used to upload arbitrary files to /tmp/upload/ or /tmp/ respectively as any …