CVE-2023-44124

Published: Sep 27, 2023Modified: Nov 21, 2024

3.3

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Exploitability: 1.8 / Impact: 1.4

Source: NVD

Description

The vulnerability is to theft of arbitrary files with system privilege in the Screen recording ("com.lge.gametools.gamerecorder") app in the "com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.

Affected (2)

Products: Google: Android

1 product

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Google Android	Version 12.0
Google Android	Version 13.0

Running on/with	Platform Versions
Lg V60 Thin Q 5g	All versions

Related CWEs

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Use of Implicit Intent for Sensitive Communication

The Android application uses an implicit intent for transmitting sensitive data to other applications.

References (2)

https://lgsecurity.lge.com/bulletins/mobile#updateDetails

Source: product.security@lge.com

Vendor Advisory

https://lgsecurity.lge.com/bulletins/mobile#updateDetails

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.