Aerosol Posted January 9, 2015 Report Posted January 9, 2015 https://labs.integrity.pt/articles/good-for-enterprise-android-html-injection-cve-2014-4925/1. Vulnerability PropertiesTitle: HTML Injection in Good for Enterprise AndroidCVE ID: CVE-2014-4925CVSSv2 Base Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)Vendor: Good Technology (http://www1.good.com/)Products: Good for Enterprise Android (possibly others)Advisory Release Date: 8 January 2015Advisory URL: http://labs.integrity.pt/advisories/cve-2014-4925/Credits: Discovery and PoC by Cláudio André <ca[at]integrity.pt>2. Vulnerability SummaryA remote attacker is able to send a crafted email with a payload thatredirects the user to a target url as soon as he opens the email.3. Technical DetailsThe vulnerability can be confirmed by sending a HTML email with thefollowing content:<meta http-equiv=”refresh” content=”0;URL=’http://www.maliciousurl.com’” />Exploiting this vulnerability could allow an attacker to redirect a user toa malicious website, allowing hooking the browser with maliciousJavaScript, launching phishing attacks, etc.4. Vulnerable VersionsConfirmed on version 1.9.0.40, but from the vendor feedback all versions upto 2.8.0.398 should be vulnerable.5. SolutionCurrently there is none. The vendor has classified this issue as unfixableand a product limitation.6. Vulnerability Timeline16 Apr 2014 – Vulnerability reported to vendor7 Jan 2015 – Vendor gave final feedback that the issue was not avulnerability and instead being a product limitation and unfixable.-- Cláudio AndréSecurity Consultant @ Integrity S.Awww.integrity.ptSource Quote
