A vulnerability, which was classified as critical, has been found in TripAdvisor App up to 24.6.3 on Huawei Smartphone. This issue affects an unknown code of the component URL Handler. The manipulation with an unknown input leads to a input validation vulnerability. Using CWE to declare the problem leads to CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The TripAdvisor app with the versions before TAMobileApp-24.6.4 pre-installed in some Huawei mobile phones have an arbitrary URL loading vulnerability due to insufficient input validation and improper configuration. An attacker may exploit this vulnerability to invoke TripAdvisor to load a specific URL and execute malicious code contained in the URL.

The bug was discovered 01/30/2018. The weakness was presented 03/09/2018 (Website). The advisory is shared at huawei.com. The identification of this vulnerability is CVE-2017-17226 since 12/04/2017. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 38 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 24.6.4 eliminates this vulnerability.

Productinfo

Name

• TripAdvisor App

Version

• 24.6.0
• 24.6.1
• 24.6.2
• 24.6.3

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion