CVE-2023-43300 – This vulnerability in the urban

Q: What is the severity of CVE-2023-43300?

CVE-2023-43300 has a CVSS score of 8.2 (HIGH). This vulnerability in the urban_project mini-app on Line v13.6.1 allows attackers to send malicious notifications by exploiting a leaked channel access token. Attackers can impersonate legitimate services to send deceptive notifications to users. This affects users of the vulnerable Line app version with the urban_project mini-app installed.

📋 TL;DR

This vulnerability in the urban_project mini-app on Line v13.6.1 allows attackers to send malicious notifications by exploiting a leaked channel access token. Attackers can impersonate legitimate services to send deceptive notifications to users. This affects users of the vulnerable Line app version with the urban_project mini-app installed.

💻 Affected Systems

Products:

Line mobile app with urban_project mini-app

Versions: Line v13.6.1

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the urban_project mini-app to be installed and active within Line.

📦 What is this software?

Line by Linecorp

View all CVEs affecting Line →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could send phishing notifications to all users of the vulnerable app, leading to credential theft, malware installation, or financial fraud through social engineering.

🟠

Likely Case

Targeted users receive malicious notifications that appear legitimate, potentially tricking them into clicking malicious links or revealing sensitive information.

🟢

If Mitigated

With proper token management and notification validation, impact is limited to notification spam with reduced credibility.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining the leaked channel access token, which may be accessible through improper storage or transmission.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Line v13.6.2 or later

Vendor Advisory: https://github.com/syz913/CVE-reports/blob/main/CVE-2023-43300.md

Restart Required: Yes

Instructions:

1. Update Line app to v13.6.2 or later via official app store. 2. Ensure urban_project mini-app is updated if separate. 3. Restart the app after update.

🔧 Temporary Workarounds

Disable urban_project mini-app

all

Temporarily disable or remove the vulnerable mini-app from Line.

Revoke and regenerate tokens

all

If managing Line channel, revoke compromised access tokens and generate new ones.

🧯 If You Can't Patch

Monitor for suspicious notifications and educate users to verify sender authenticity.
Implement network filtering to block unauthorized notification sources if possible.

🔍 How to Verify

Check if Vulnerable:

Check Line app version in settings; if v13.6.1 with urban_project mini-app installed, system is vulnerable.

Check Version:

In Line app: Settings > About > Version

Verify Fix Applied:

Confirm Line app version is v13.6.2 or later and urban_project mini-app is updated or removed.

📡 Detection & Monitoring

Log Indicators:

Unusual notification patterns from urban_project channel
Failed token validation attempts

Network Indicators:

Unexpected API calls to Line notification endpoints
Traffic from unauthorized sources to channel tokens

SIEM Query:

source="line_app" AND event="notification" AND channel="urban_project" AND status="unauthorized"

📊 Metadata

CVE ID: CVE-2023-43300

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Published: December 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/syz913/CVE-reports/blob/main/CVE-2023-43300.md Third Party Advisory
https://github.com/syz913/CVE-reports/blob/main/CVE-2023-43300.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON