← Back

CVE-2023-44122

nvd nist
Published: Sep 27, 2023Modified: Nov 21, 2024

JSON object

Loading...
7.8
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.8 / Impact: 5.9
Source: NVD

Description

The vulnerability is to theft of arbitrary files with system privilege in the LockScreenSettings ("com.lge.lockscreensettings") app in the "com/lge/lockscreensettings/dynamicwallpaper/MyCategoryGuideActivity.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The LockScreenSettings app copies the received file to the "/data/shared/dw/mycategory/wallpaper_01.png" path and then changes the file access mode to world-readable and world-writable.

Affected (2)

Products: Google: Android
Google
1 product
Android
Configuration A
2 vulnerable · 1 platform
Vulnerable SoftwareAffected Versions
Google
Android
Version 12.0
Android
Version 13.0
Running on/withPlatform Versions
Lg
V60 Thin Q 5g
All versions

Related CWEs

CWE-668
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-927
Use of Implicit Intent for Sensitive Communication
The Android application uses an implicit intent for transmitting sensitive data to other applications.

References (2)

Source: product.security@lge.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.