CVE-2023-44124

EPSS 0.02%
Veröffentlicht 27.09.2023 15:19:35
Zuletzt bearbeitet 21.11.2024 08:25:17
Quelle product.security@lge.com
CVE-Watchlists
Login
Unerledigt
Login

The vulnerability is to theft of arbitrary files with system privilege in the Screen recording ("com.lge.gametools.gamerecorder") app in the "com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Google ≫ Android Version12.0

Lg ≫ V60 Thin Q 5g Version-

Google ≫ Android Version13.0

Lg ≫ V60 Thin Q 5g Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.044

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.3	1.8	1.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
product.security@lge.com	6.1	1.8	3.7	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

CWE-927 Use of Implicit Intent for Sensitive Communication

The Android application uses an implicit intent for transmitting sensitive data to other applications.

https://lgsecurity.lge.com/bulletins/mobile#updateDetails

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-44124

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-44124

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-44124

EUVD