CWE-939 24 個 CVE MITRE 定義 ↗

CWE-939:Improper Authorization in Handler for Custom URL Scheme

概覽

CWE-939(Improper Authorization in Handler for Custom URL Scheme)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.

適用平台

類型 名稱 普遍性 OS / CPE
technology Mobile Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-12190 2026-06-14 A vulnerability has been found in Genspark AI Workspace App 2.8.4 on Android. This vulnerability affects unknown code of the component ai.mainfunc.genspark. The manipulation leads to improper authoriz…
CVE-2026-12189 2026-06-14 A flaw has been found in Moovit Bus & Public Transit App 1.18 on Android. This affects an unknown part of the component com.tranzmate. Executing a manipulation can lead to improper authorization in ha…
CVE-2026-53408 2026-06-12 Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privil…
CVE-2026-53407 2026-06-12 Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privil…
CVE-2026-12065 2026-06-12 A vulnerability was identified in Groww Stock, Mutual Fund, Gold App up to 20260805 on Android. This affects an unknown part of the component WebView URL Handler. The manipulation leads to improper au…
CVE-2026-6445 2026-06-09 A flaw exists in FlashArray Purity where insufficient filtering of certain data paths could expose sensitive information to an authenticated user with low privileges.
CVE-2026-3471 2026-05-18 Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated cras…
CVE-2026-35394 2026-04-06 Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any sc…
CVE-2026-33335 2026-03-24 Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls direc…
CVE-2026-26123 2026-03-10 Cwe is not in rca categories in Microsoft Authenticator allows an unauthorized attacker to disclose information locally.
CVE-2026-1046 2026-02-16 Mattermost Desktop App versions <=6.0 6.2.0 5.2.13.0 fail to validate help links which allows a malicious Mattermost server to execute arbitrary executables on a user’s system via the user clicking on…
CVE-2025-67739 2025-12-11 In JetBrains TeamCity before 2025.11.2 improper repository URL validation could lead to local paths disclosure
CVE-2025-41408 2025-09-05 Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbit…
CVE-2025-5020 2025-05-21 Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox …
CVE-2024-54125 2024-12-17 Improper authorization in handler for custom URL scheme issue in "Shonen Jump+" App for Android versions prior to 4.0.0 allows an attacker to lead a user to access an arbitrary website via the vulnera…
CVE-2024-54014 2024-12-04 Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android 6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead the application to…
CVE-2024-45203 2024-09-09 Improper authorization in handler for custom URL scheme issue in "@cosme" App for Android versions prior 5.69.0 and "@cosme" App for iOS versions prior to 6.74.0 allows an attacker to lead a user to a…
CVE-2024-41918 2024-08-28 'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may…
CVE-2024-35298 2024-06-19 Improper authorization in handler for custom URL scheme issue in 'ZOZOTOWN' App for Android versions prior to 7.39.6 allows an attacker to lead a user to access an arbitrary website via another applic…
CVE-2024-33606 2024-06-11 An attacker could retrieve sensitive files (medical images) as well as plant new medical images or overwrite existing medical images on a MicroDicom DICOM Viewer system. User interaction is required t…

內容提交

名稱
CWE Content Team
組織
MITRE
日期
2014-01-14
版本
2.6

內容修訂

日期 名稱 版本 重要性 評論
2017-01-19 CWE Content Team 2.10 updated Relationships
2017-11-08 CWE Content Team 3.0 updated Modes_of_Introduction, References, Relationships
2020-02-24 CWE Content Team 4.0 updated Applicable_Platforms, Relationships
2020-06-25 CWE Content Team 4.1 updated Potential_Mitigations
2021-03-15 CWE Content Team 4.4 updated Demonstrative_Examples
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated References, Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-04-03 CWE Content Team 4.17 updated Demonstrative_Examples
2025-12-11 CWE Content Team 4.19 updated Common_Consequences, Detection_Factors, Relationships, Weakness_Ordinalities
cvelogic Threat Intelligence