Advisory #59
TitleMercari (Merpay) improper handling of Intent
CVE IDCVE-2021-20835
VendorMercari, Inc.
Affected productMercari (Merpay) - Marketplace and Mobile Payments App
Affected versions< 4.49.1
Vulnerability typeCWE-939 (Improper Authorization in Handler for Custom URL Scheme)
DescriptionMercari (Merpay) has a vulnerability that allows a malicious page to launch an arbitrary Activity, which may allow an attacker to obtain access token of the Mercari account.
StatusFixed in 4.49.1
RecommendationUpdate to 4.49.1 or above.