The vulnerability is the use of implicit PendingIntents without the PendingIntent.FLAG_IMMUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Personalized service ("com.lge.abba") app. The attacker's app, if it had access to app notifications, could intercept them and redirect them to its activity, before making it grant access permissions to content providers with the `android:grantUriPermissions="true"` flag.
History

Fri, 20 Sep 2024 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: LGE

Published: 2023-09-27T13:59:02.183Z

Updated: 2024-09-20T19:49:11.092Z

Reserved: 2023-09-26T05:57:13.269Z

Link: CVE-2023-44125

cve-icon Vulnrichment

Updated: 2024-08-02T19:59:50.871Z

cve-icon NVD

Status : Modified

Published: 2023-09-27T15:19:35.980

Modified: 2024-11-21T08:25:17.820

Link: CVE-2023-44125

cve-icon Redhat

No data.