Body Background
TrendAI™ Zero Day Initiative™ Logo

(Mobile Pwn2Own) Amazon App Store Search String Cross-Site Scripting Vulnerability

April 29th, 2015
ZDI-15-158 ZDI-CAN-2617

CVE ID

CVSS Score

7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected Vendors

Amazon

Affected Products

App Store

Vulnerability Details


This vulnerability allows remote attackers to inject scripts on Amazon Fire Phone. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the search string variable. Starting the string with a closing script tag allows the attacker to insert HTML code. An attacker can chain this vulnerability with other vulnerabilities to install malicious applications.

Additional Details


There was not an advisory posted and no patch required, the issue was fixed server side.


Disclosure Timeline

  • 2014-11-13 - Vulnerability reported to vendor
  • 2015-04-29 - Coordinated public release of advisory

Credit

MWR Labs

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.

RESEARCHERS

Submit a vulnerability

VENDORS

Learn how it works

ORGANIZATIONS

See how you're protected