A now-patched security flaw has been disclosed in the Galaxy Retailer application for Samsung units that could potentially induce remote command execution on affected telephones.
The vulnerability, which has an effect on Galaxy Retailer model 4.5.32.4, relates to a cross-web-site scripting (XSS) bug that happens when dealing with sure deep hyperlinks. An impartial security researcher has been credited with reporting the issue.
“Right here, by not checking the deep backlink securely, when a person accesses a hyperlink from a web site that contains the deeplink, the attacker can execute JS code in the webview context of the Galaxy Shop software,” SSD Safe Disclosure mentioned in an advisory posted previous 7 days.
XSS assaults let an adversary to inject and execute malicious JavaScript code when going to a site from a browser or another software.
The issue discovered in the Galaxy Retail outlet app has to do with how deep backlinks are configured for Samsung’s Promoting & Material Support (MCS), potentially foremost to a circumstance the place arbitrary code injected into the MCS web page could direct to its execution.
This could then be leveraged to down load and set up malware-laced applications on the Samsung gadget when traveling to the backlink.
“To be equipped to productively exploit the victim’s server, it is essential to have HTTPS and CORS bypass of chrome,” the scientists noted.
Identified this posting attention-grabbing? Follow THN on Facebook, Twitter and LinkedIn to examine more special articles we publish.
Some parts of this article are sourced from:
thehackernews.com