How severe is CVE-2023-0460?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.3 out of 10.

What type of vulnerability is CVE-2023-0460?

This is classified as CWE-470, which is a common weakness in software security.

CVE-2023-0460 - HIGH Severity | CVSS 7.3

Vulnerability Description

The YouTube Embedded 1.2 SDK binds to a service within the YouTube Main App. After binding, a remote context is created with the flags Context.CONTEXT_INCLUDE_CODE | Context.CONTEXT_IGNORE_SECURITY. This allows the client app to remotely load code from YouTube Main App by retrieving the Main App’s ClassLoader. A potential vulnerability in the binding logic used by the client SDK where the SDK ends up calling bindService() on a malicious app rather than YT Main App. This creates a vulnerability where the SDK can load the malicious app’s ClassLoader instead, allowing the malicious app to load arbitrary code into the calling app whenever the embedded SDK is invoked. In order to trigger this vulnerability, an attacker must masquerade the Youtube app and install it on a device, have a second app that uses the Embedded player and typically distribute both to the victim outside of the Play Store.

Related Vulnerabilities

CVE-2018-5511

HIGH

CVSS:7.2(High)

On F5 BIG-IP 13.1.0-13.1.0.3 or 13.0.0, when authenticated administrative users execute commands in the Traffic Management User Interface (TMUI), also referred to as the BIG-IP Configuration utility, ...

CWE-4702018

CVE-2024-8015

HIGH

CVSS:7.2(High)

In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability.

CWE-4702024

CVE-2019-10174

HIGH

CVSS:7.5(High)

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's...

CWE-4702019

CVE-2025-2794

HIGH

CVSS:7.5(High)

An unsafe reflection vulnerability in Kentico Xperience allows an unauthenticated attacker to kill the current process, leading to a Denial-of-Service condition. This issue affects Xperience: through ...

CWE-4702025

CVE-2025-31119

HIGH

CVSS:7.6(High)

generator-jhipster-entity-audit is a JHipster module to enable entity audit and audit log page. Prior to 5.9.1, generator-jhipster-entity-audit allows unsafe reflection when having Javers selected as ...

CWE-4702025

CVE-2022-26469

HIGH

CVSS:7.8(High)

In MtkEmail, there is a possible escalation of privilege due to fragment injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is...

CWE-4702022