| Titel | Moovit Moovit Android Application 1.18 Improper Input Validation / Insecure Deep Link Handling / WebVie |
|---|
| Beschreibung | A vulnerability was discovered in the Moovit Android Application. The component com.moovit.web.WebViewActivity is exported and configured as browsable. The activity accepts externally supplied URLs and loads them into an internal WebView without sufficient validation or domain restriction.
An attacker can exploit this issue via crafted intents or malicious deep links to force the application to display attacker-controlled content inside the trusted application interface. This may allow phishing attacks, UI spoofing, and user deception.
The attack requires user interaction and can be triggered from a malicious application or crafted Android deep link.
Steps to Reproduce:
1. Install the vulnerable version of the Moovit Android Application.
2. Connect the Android device using ADB.
3. Execute the following command:
adb shell am start -n com.tranzmate/com.moovit.web.WebViewActivity --es url "https://evil.com"
4. Observe that the application launches the exported WebView activity.
5. The supplied external URL is loaded directly inside the application's internal WebView.
6. No domain validation, restriction, or warning is applied before rendering the attacker-controlled content.
Expected Result:
Only trusted or allowlisted domains should be permitted inside the WebView component.
Observed Result:
Arbitrary attacker-controlled external URLs are rendered inside the trusted application interface. |
|---|
| Quelle | ⚠️ https://github.com/honestcorrupt/MOOVIT-CVE-.git |
|---|
| Benutzer | honest_corrupt (UID 85229) |
|---|
| Einreichung | 09.05.2026 14:37 (vor 1 Monat) |
|---|
| Moderieren | 14.06.2026 08:37 (1 month later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 370835 [Moovit Bus & Public Transit App 1.18 auf Android com.tranzmate Local Privilege Escalation] |
|---|
| Punkte | 20 |
|---|