CVE-2023-44129

LOW Year: 2023
CVSS v3 Score
3.3
Low
Weakness Type
CWE-926
View all →

Vulnerability Description

The vulnerability is that the Messaging ("com.android.mms") app patched by LG forwards attacker-controlled intents back to the attacker in the exported "com.android.mms.ui.QClipIntentReceiverActivity" activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the "com.lge.message.action.QCLIP" action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the "onActivityResult()" method, they would have access to arbitrary content providers that have the `android:grantUriPermissions="true"` flag set.

Related Vulnerabilities

CVE-2021-25379

LOW
CVSS:3.3(Low)

Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action.

CWE-9262021

CVE-2021-25527

LOW
CVSS:3.3(Low)

Improper export of Android application components vulnerability in Samsung Pay (India only) prior to version 4.1.77 allows attacker to access Bill Pay and Recharge menu without authentication.

CWE-9262021

CVE-2022-24929

LOW
CVSS:3.3(Low)

Unprotected Activity in AppLock prior to SMR Mar-2022 Release 1 allows attacker to change the list of locked app without authentication.

CWE-9262022

CVE-2023-41960

LOW
CVSS:3.3(Low)

The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive setti...

CWE-9262023

CVE-2024-3479

LOW
CVSS:2.8(Low)

An improper export vulnerability was reported in the Motorola Enterprise MotoDpms Provider (com.motorola.server.enterprise.MotoDpmsProvider) that could allow a local attacker to read local data.

CWE-9262024

CVE-2021-25390

MEDIUM
CVSS:4.0(Medium)

Intent redirection vulnerability in PhotoTable prior to SMR MAY-2021 Release 1 allows attackers to execute privileged action.

CWE-9262021