CVE-2024-28895 in Yahoo Japan App
Summary
by MITRE • 04/01/2024
'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the WebView of 'Yahoo! JAPAN' App via other app installed on the user's device.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2025
The vulnerability identified as CVE-2024-28895 represents a critical cross-site scripting flaw within the Yahoo! JAPAN mobile applications for both Android and iOS platforms. This security weakness affects specific version ranges of the mobile applications, with Android versions 2.3.1 through 3.161.1 and iOS versions 3.2.2 through 4.109.0 being impacted. The vulnerability manifests in the WebView component of these applications, which serves as the core interface for rendering web content within the mobile application environment. The flaw allows malicious actors to inject and execute arbitrary scripts within the context of the WebView, potentially compromising user sessions and sensitive data.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding within the WebView's handling of external content. When the Yahoo JAPAN user, which then leverages the WebView's security gap to deliver malicious payloads. This scenario aligns with CWE-79, which specifically addresses cross-site scripting vulnerabilities in web applications and mobile environments.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable sophisticated attack vectors including session hijacking, data theft, and privilege escalation within the application context. An attacker who successfully exploits this vulnerability could potentially access user accounts, steal personal information, manipulate application functionality, or redirect users to malicious websites. The attack requires the presence of a malicious application on the user's device, making it a device-based attack vector that demonstrates the importance of application sandboxing and proper input validation. This vulnerability directly relates to ATT&CK technique T1059.007, which covers scripting through web shells, and T1531, which addresses credential access through application execution.
Mitigation strategies for CVE-2024-28895 must address both immediate remediation and long-term security improvements. The most critical immediate action involves updating the affected Yahoo JAPAN applications updated with the latest security patches. This vulnerability highlights the necessity of robust mobile application security testing and continuous monitoring for similar weaknesses in mobile WebView implementations.