7.8

CVE-2023-44123

EPSS 0.02%
Veröffentlicht 27.09.2023 15:19:35
Zuletzt bearbeitet 21.11.2024 08:25:17
Quelle product.security@lge.com
CVE-Watchlists
Login
Unerledigt
Login

The vulnerability is the use of implicit PendingIntents with the PendingIntent.FLAG_MUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Bluetooth ("com.lge.bluetoothsetting") app. The attacker's app, if it had access to app notifications, could intercept them and redirect them to its activity, before making it grant access permissions to content providers with the `android:grantUriPermissions="true"` flag.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Android Version12.0

Lg ≫ V60 Thin Q 5g Version-

Google ≫ Android Version13.0

Lg ≫ V60 Thin Q 5g Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.041

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
product.security@lge.com	6.1	1.8	3.7	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://lgsecurity.lge.com/bulletins/mobile#updateDetails

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-44123

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-44123

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-44123

EUVD