CVE-2023-43955

The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/actuator/com.phlox.tvwebbrowser	Exploit Third Party Advisory
https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/CWE-94.md	Exploit Third Party Advisory
https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/poc.apk	Exploit Third Party Advisory
https://github.com/truefedex/tv-bro/pull/182#issue-1901769895	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:fedirtsapana:tv_bro:*:*:*:*:*:android:*:*

History

No history.

Information

Published : 2023-12-27 21:15

Updated : 2024-01-09 20:06

NVD link : CVE-2023-43955

Mitre link : CVE-2023-43955

CVE.ORG link : CVE-2023-43955

JSON object : View

Products Affected

fedirtsapana

tv_bro

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2023-43955", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-12-27T21:15:08.050", "references": [{"url": "https://github.com/actuator/com.phlox.tvwebbrowser", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/CWE-94.md", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/poc.apk", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/truefedex/tv-bro/pull/182#issue-1901769895", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData."}, {"lang": "es", "value": "La aplicaci\u00f3n com.phlox.tvwebbrowser TV Bro hasta la versi\u00f3n 2.0.0 para Android maneja mal los intents externos a trav\u00e9s de WebView. Esto permite a los atacantes ejecutar c\u00f3digo arbitrario y crear archivos arbitrarios. y realizar descargas arbitrarias a trav\u00e9s de JavaScript que utiliza takeBlobDownloadData."}], "lastModified": "2024-01-09T20:06:56.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:fedirtsapana:tv_bro:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "BCBF560F-1E13-4991-82E9-664F72FF144B", "versionEndIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}