The vulnerability is the use of implicit PendingIntents with the PendingIntent.FLAG_MUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Bluetooth ("com.lge.bluetoothsetting") app. The attacker's app, if it had access to app notifications, could intercept them and redirect them to its activity, before making it grant access permissions to content providers with the `android:grantUriPermissions="true"` flag.
History

Fri, 20 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: LGE

Published: 2023-09-27T13:52:57.933Z

Updated: 2024-09-20T19:52:54.896Z

Reserved: 2023-09-26T05:57:13.269Z

Link: CVE-2023-44123

cve-icon Vulnrichment

Updated: 2024-08-02T19:59:51.614Z

cve-icon NVD

Status : Modified

Published: 2023-09-27T15:19:35.830

Modified: 2024-11-21T08:25:17.547

Link: CVE-2023-44123

cve-icon Redhat

No data.