CVE-2025-68709
JavaScript URI Execution in SailingLab AppLock
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alpha | applock | 4.3.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68709 affects the SailingLab AppLock (com.alpha.applock) version 4.3.8 for Android. It allows a local attacker to execute arbitrary JavaScript code through the BrowserMainActivity component by sending specially crafted VIEW intents containing javascript: URIs.
This unsafe navigation path leads to script execution, which can result in UI spoofing or privilege escalation attacks.
The vulnerability is classified as a Cross-Site Scripting (XSS) issue and arises when an attacker uses a malicious app or adb command to send an intent with a javascript: URI, exploiting how the component handles such inputs.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with local access to execute arbitrary JavaScript code within the AppLock application.
- UI spoofing: The attacker can manipulate the user interface to trick users into performing unintended actions.
- Privilege escalation: The attacker may gain higher privileges within the app or device, potentially bypassing security controls.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in SailingLab AppLock 4.3.8 can be detected by checking if the BrowserMainActivity component accepts VIEW intents containing javascript: URIs, which leads to arbitrary JavaScript execution.
One way to test for this vulnerability is to use the Android Debug Bridge (adb) to send a crafted intent with a javascript: URI to the vulnerable component and observe if the script executes.
- adb shell am start -a android.intent.action.VIEW -d "javascript:alert('XSS')" com.alpha.applock/.BrowserMainActivity
If the alert or any JavaScript execution occurs, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable version 4.3.8 of SailingLab AppLock until a patch or update is available.
Restrict or monitor the use of local apps or adb commands that can send VIEW intents with javascript: URIs to the BrowserMainActivity component.
Consider uninstalling or disabling the app if it is not essential, or applying any official updates or patches provided by the vendor once released.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
However, since the vulnerability allows arbitrary JavaScript execution leading to potential UI spoofing or privilege escalation, it could indirectly affect data security and user privacy, which are critical aspects of these regulations.
Without explicit details on data breach or exposure, the exact compliance impact cannot be determined from the available information.