Total
7791 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-44128 | 2 Google, Lg | 2 Android, V60 Thin Q 5g | 2023-10-02 | N/A | 3.6 LOW |
| he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted. | |||||
| CVE-2023-44125 | 2 Google, Lg | 2 Android, V60 Thin Q 5g | 2023-10-02 | N/A | 7.8 HIGH |
| The vulnerability is the use of implicit PendingIntents without the PendingIntent.FLAG_IMMUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Personalized service ("com.lge.abba") app. The attacker's app, if it had access to app notifications, could intercept them and redirect them to its activity, before making it grant access permissions to content providers with the `android:grantUriPermissions="true"` flag. | |||||
| CVE-2023-44126 | 2 Google, Lg | 2 Android, V60 Thin Q 5g | 2023-10-02 | N/A | 5.5 MEDIUM |
| The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned implicit broadcasts that disclose sensitive data to all third-party apps installed on the same device. Those intents include data such as call states, durations, called numbers, contacts info, etc. | |||||
| CVE-2023-44127 | 2 Google, Lg | 2 Android, V60 Thin Q 5g | 2023-10-02 | N/A | 5.5 MEDIUM |
| he vulnerability is that the Call management ("com.android.server.telecom") app patched by LG launches implicit intents that disclose sensitive data to all third-party apps installed on the same device. Those intents include data such as contact details and phone numbers. | |||||
| CVE-2023-31014 | 2 Google, Nvidia | 2 Android, Geforce Now | 2023-09-22 | N/A | 4.8 MEDIUM |
| NVIDIA GeForce Now for Android contains a vulnerability in the game launcher component, where a malicious application on the same device can process the implicit intent meant for the streamer component. A successful exploit of this vulnerability may lead to limited information disclosure, denial of service, and code execution. | |||||
| CVE-2023-35658 | 1 Google | 1 Android | 2023-09-14 | N/A | 8.8 HIGH |
| In gatt_process_prep_write_rsp of gatt_cl.cc, there is a possible privilege escalation due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35687 | 1 Google | 1 Android | 2023-09-14 | N/A | 7.8 HIGH |
| In MtpPropertyValue of MtpProperty.h, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35684 | 1 Google | 1 Android | 2023-09-14 | N/A | 8.8 HIGH |
| In avdt_msg_asmbl of avdt_msg.cc, there is a possible out of bounds write due to an integer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35683 | 1 Google | 1 Android | 2023-09-14 | N/A | 5.5 MEDIUM |
| In bindSelection of DatabaseUtils.java, there is a possible way to access files from other applications due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35664 | 1 Google | 1 Android | 2023-09-14 | N/A | 5.5 MEDIUM |
| In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35666 | 1 Google | 1 Android | 2023-09-14 | N/A | 7.8 HIGH |
| In bta_av_rc_msg of bta_av_act.cc, there is a possible use after free due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35667 | 1 Google | 1 Android | 2023-09-14 | N/A | 7.8 HIGH |
| In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35669 | 1 Google | 1 Android | 2023-09-14 | N/A | 7.8 HIGH |
| In checkKeyIntentParceledCorrectly of AccountManagerService.java, there is a possible way to control other running activities due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35670 | 1 Google | 1 Android | 2023-09-14 | N/A | 7.8 HIGH |
| In computeValuesFromData of FileUtils.java, there is a possible way to insert files to other apps' external private directories due to a path traversal error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35671 | 1 Google | 1 Android | 2023-09-14 | N/A | 5.5 MEDIUM |
| In onHostEmulationData of HostEmulationManager.java, there is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35673 | 1 Google | 1 Android | 2023-09-14 | N/A | 8.8 HIGH |
| In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35674 | 1 Google | 1 Android | 2023-09-14 | N/A | 7.8 HIGH |
| In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35675 | 1 Google | 1 Android | 2023-09-13 | N/A | 5.5 MEDIUM |
| In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35676 | 1 Google | 1 Android | 2023-09-13 | N/A | 7.8 HIGH |
| In createQuickShareAction of SaveImageInBackgroundTask.java, there is a possible way to trigger a background activity launch due to an unsafe PendingIntent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2023-35677 | 1 Google | 1 Android | 2023-09-13 | N/A | 5.5 MEDIUM |
| In onCreate of DeviceAdminAdd.java, there is a possible way to forcibly add a device admin due to a missing permission check. This could lead to local denial of service (factory reset or continuous locking) with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||