It was possible to perform RTLO Injection (Right To Left Override Injection). This technique takes advantage of \u202E, a non-printing Unicode character that causes the text that follows it to be displayed in reverse it is commonly used to disguise a string and/or file name and/or url to make it appear benign and to bypass security defences.
Asana Android app
Android
-->CWE (Common Weakness Enumeration):
CWE-451: User Interface Misrepresentation of Critical Information
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
-->CVSS Score: 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
-->Observations/Impact:
It was possible to perform RTLO Injection (Right To Left Override Injection). This technique takes advantage of \u202E, a non-printing Unicode character that causes the text that follows it to be displayed in reverse it is commonly used to disguise a string and/or file name and/or url to make it appear benign and to bypass security defences.
The Android application fails to sanitize user input executing the RTLO character and parsing it as a url.
This is a very dangerous behavior which may have serious consequences.
-->POC:
Check the attached POC video.
-->Resources:
https://attack.mitre.org/techniques/T1036/002/
https://nvd.nist.gov/vuln/detail/CVE-2020-20093
https://nvd.nist.gov/vuln/detail/CVE-2020-20094
https://nvd.nist.gov/vuln/detail/CVE-2020-20095
https://nvd.nist.gov/vuln/detail/CVE-2020-20096
https://nvd.nist.gov/vuln/detail/CVE-2022-28345
-->Notes:
Attending to issue simplicity of execution, criticality and possible consequences, comparing it to all current know CVEs, as listed above, the VRT Category should be reevaluated and classified at least as P3.
