close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie	Domain	Purpose
JSESSIONID	security.samsungmobile.com	to keep login session
lastActivityTime	security.samsungmobile.com	to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text

Samsung Mobile Security

Login

Search

Search

Login

Home>Security Updates>Other Updates

Security Updates

Scope
Firmware Updates
Other Updates

Move to the previous year Move to the next year

2021Open selected window by year

Close selected window by year

January February March April May June July August September October November December

We truly appreciate the following security researchers for helping us improve the security of our mobile applications, wearable devices and personal computers. We would like to thank them for disclosing the vulnerability reports responsibly and working with us throughout the process.

Please note that while we are doing our best to release the security patches as soon as possible to all applicable devices and services, release time of security patches may vary depending on the device version and models or service versions.

DEC-2021 Updates

Android Application Updates

SVE-2021-21488 (CVE-2021-25520): Cross Site-Script vulnerability in Samsung Internet via SearchKeyword deeplink

Severity: High
Resolved Version: 16.0.2
Reported on: April 17, 2021
Description: Insecure caller check and input validation vulnerabilities in SearchKeyword deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to execute script codes in Samsung Internet.
Acknowledgement: Sayed Abdelhafiz

SVE-2021-21534 (CVE-2021-25521): Leaking current tab url vulnerability in Samsung Internet via sharevia deeplink

Severity: Moderate
Resolved Version: 16.0.2
Reported on: April 21, 2021
Description: Insecure caller check in sharevia deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to get current tab URL in Samsung Internet.
Acknowledgement: Sayed Abdelhafiz

SVE-2021-22440 (CVE-2021-25522): Insecure storage of sensitive information vulnerability in Smart Capture

Severity: Low
Resolved Version: 4.8.02.10
Reported on: July 4, 2021
Description: Insecure storage of sensitive information vulnerability in Smart Capture prior to version 4.8.02.10 allows attacker to access victim's captured images without permission.
Acknowledgement: Andr. Ess

SVE-2021-22905 (CVE-2021-25523): Possible to access Samsung Account ID which logged in to the device

Severity: Moderate
Resolved Version: 12.7.05.24
Reported on: August 9, 2021
Description: Insecure storage of device information in Samsung Dialer prior to version 12.7.05.24 allows attacker to get Samsung Account ID.
Acknowledgement: Jenny.ZJN

SVE-2021-22906 (CVE-2021-25524): Possible to access Samsung Account ID which logged in to the device

Severity: Moderate
Resolved Version: 12.7.05.24
Reported on: August 9, 2021
Description: Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.
Acknowledgement: Jenny.ZJN

SVE-2021-23456 (CVE-2021-25525): Improper Check or Handling of Exceptional Conditions vulnerability in Samsung Pay(US)

Severity: Moderate
Resolved Version: 4.0.65
Reported on: October 3, 2021
Description: Improper check or handling of exception conditions vulnerability in Samsung Pay (US only) prior to version 4.0.65 allows attacker to use NFC without user recognition.
Acknowledgement: Tony

SVE-2021-23462 (CVE-2021-25526): Intent redirection leads to gaining access to arbitrary content providers in Samsung Blockchain Wallet

Severity: Moderate
Resolved Version: 1.3.02.8
Reported on: October 5, 2021
Description: Intent redirection vulnerability in Samsung Blockchain Wallet prior to version 1.3.02.8 allows attacker to execute privileged action.
Acknowledgement: 남지효

SVE-2021-23758 (CVE-2021-25527): Improper export of android application components vulnerability in Samsung Pay

Severity: Moderate
Resolved Version: 4.1.77
Reported on: November 2, 2021
Description: Improper export of Android application components vulnerability in Samsung Pay (India only) prior to version 4.1.77 allows attacker to access Bill Pay and Recharge menu without authentication.
Acknowledgement: Harsh Tyagi

NOV-2021 Updates

Android Application Updates

SVE-2021-22855 (CVE-2021-25506): A possible access to non-existent provider in Samsung Health

Severity: Low
Resolved Version: 6.19.1.0001
Reported on: August 4, 2021
Description: Non-existent provider in Samsung Health prior to 6.19.1.0001 allows attacker to access it via malicious content provider or lead to denial of service.
Acknowledgement: Dawuge of Pangu Team

SVE-2021-23094 (CVE-2021-25504): Intent redirection vulnerability in Group Sharing

Severity: Moderate
Resolved Version: 10.8.03.2
Reported on: August 30, 2021
Description: Intent redirection vulnerability in Group Sharing prior to 10.8.03.2 allows attacker to access contact information.
Acknowledgement: Luke Symons

SVE-2021-23417 (CVE-2021-25505): Improper authentication in Samsung Pass

Severity: Moderate
Resolved Version: 3.0.02.4
Reported on: September 30, 2021
Description: Improper authentication in Samsung Pass prior to 3.0.02.4 allows to use app without authentication when lockscreen is unlocked.
Acknowledgement: Harsh Tyagi

SVE-2021-23373 (CVE-2021-25507): Improper authorization in Samsung Flow

Severity: High
Resolved Version: 4.8.03.5
Reported on: September 27, 2021
Description: Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authorization.
Acknowledgement: Lilly Chapman

SVE-2021-22939 (CVE-2021-25508): Improper Privilege Management in SmartThings

Severity: Moderate
Resolved Version: 1.7.73.22
Reported on: August 12, 2021
Description: Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation.
Acknowledgement: Lili Wei

PC Updates

SVE-2021-23291 (CVE-2021-25509): Improper Input Validation in Samsung Flow

Severity: Low
Resolved Version: 4.8.5.0
Reported on: September 19, 2021
Description: A missing input validation in Samsung Flow Windows application prior to Version 4.8.5.0 allows attackers to overwrite arbitrary file in the Windows known folders.
Acknowledgement: Shai Shapira

OCT-2021 Updates

Android Application Updates

SVE-2021-21543 (CVE-2021-25492): Lack of boundary checking of a buffer in libSPenBase library

Severity: High
Resolved Version: 4.3.02.61
Reported on: April 21, 2021
Description: Lack of boundary checking of a buffer in libSPenBase library of Samsung Notes prior to Samsung Note version 4.3.02.61 allows OOB read
Acknowledgement: Dawuge of Pangu Team

SVE-2021-21542 (CVE-2021-25493): Lack of boundary checking of a buffer in libSPenBase library

Severity: Moderate
Resolved Version: 4.3.02.61
Reported on: April 21, 2021
Description: Lack of boundary checking of a buffer in libSPenBase library of Samsung Notes prior to Samsung Note version 4.3.02.61 allows OOB read
Acknowledgement: Dawuge of Pangu Team

SVE-2021-21540 (CVE-2021-25494): A possible heap buffer overflow vulnerability in libSPenBase library

Severity: Moderate
Resolved Version: 4.3.02.61
Reported on: April 21, 2021
Description: A possible buffer overflow vulnerability in libSPenBase library of Samsung Notes prior to Samsung Note version 4.3.02.61 allows arbitrary memory write and code execution.
Acknowledgement: Dawuge of Pangu Team

SVE-2021-21537 (CVE-2021-25495): A possible heap-based buffer overflow vulnerability in libSPenBase library

Severity: High
Resolved Version: 4.3.02.61
Reported on: April 21, 2021
Description: A possible heap-based buffer overflow vulnerability in libSPenBase library of Samsung Notes prior to Samsung Note version 4.3.02.61 allows arbitrary memory write and code execution.
Acknowledgement: Dawuge from Pangu Team and flanker

SVE-2021-21548 (CVE-2021-25496): A possible buffer overflow vulnerability in libSPenBase library

Severity: High
Resolved Version: 4.3.02.61
Reported on: April 21, 2021
Description: A possible buffer overflow vulnerability in maetd_dec_slice of libSPenBase library of Samsung Notes prior to Samsung Notes version 4.3.02.61 allows arbitrary code execution.
Acknowledgement: Dawuge of Pangu Team

SVE-2021-21549 (CVE-2021-25497): A possible buffer overflow vulnerability in libSPenBase library

Severity: High
Resolved Version: 4.3.02.61
Reported on: April 21, 2021
Description: A possible buffer overflow vulnerability in maetd_cpy_slice of libSPenBase library of Samsung Notes prior to Samsung Notes version 4.3.02.61 allows arbitrary code execution.
Acknowledgement: Dawuge of Pangu Team

SVE-2021-21553 (CVE-2021-25498): A possible buffer overflow vulnerability in libSPenBase library

Severity: High
Resolved Version: 4.3.02.61
Reported on: April 21, 2021
Description: A possible buffer overflow vulnerability in maetd_eco_cb_mode of libSPenBase library of Samsung Notes prior to Samsung Notes version 4.3.02.61 allows arbitrary code execution.
Acknowledgement: Dawuge of Pangu Team

SVE-2021-23117 (CVE-2021-25499): Intent redirection in Galaxy Store

Severity: Moderate
Resolved Version: 4.5.32.4
Reported on: September 1, 2021
Description: Intent redirection vulnerability in SamsungAccountSDKSigninActivity of Galaxy Store prior to version 4.5.32.4 allows attacker to access content provider of Galaxy Store.
Acknowledgement: Rezkon (Luke Symons)

SEP-2021 Updates

Android Application Updates

SVE-2021-22622 (CVE-2021-25463): Improper access control vulnerability in PENUP

Severity: Low
Resolved Version: 3.8.00.18
Reported on: July 12, 2021
Description: Improper access control vulnerability in PENUP prior to version 3.8.00.18 allows arbitrary webpage loading in webview.
Acknowledgement: Gregory DRAPERI

SVE-2021-21999 (CVE-2021-25464): Improper data management vulnerability in SamsungCapture

Severity: Moderate
Resolved Version: 4.8.02
Reported on: May 29, 2021
Description: Improper file management vulnerability in SamsungCapture prior to version 4.8.02 allows sensitive information leak.
Acknowledgement: Andr.Ess

SVE-2021-22031 (CVE-2021-25465): Improper scheme check in Samsung Themes

Severity: Low
Resolved Version: 5.2.01
Reported on: May 31, 2021
Description: Improper scheme check vulnerability in Samsung Themes prior to version 5.2.01 allows attackers to perform Man-in-the-middle attack.
Acknowledgement: Zhongquan Li

SVE-2021-21977 (CVE-2021-25466): Improper scheme check in Samsung Internet

Severity: Moderate
Resolved Version: 15.0.2.47
Reported on: May 26, 2021
Description: Improper scheme check vulnerability in Samsung Internet prior to version 15.0.2.47 allows attackers to perform Man-in-the-middle attack and obtain Samsung Account token.
Acknowledgement: Zhongquan Li @ ADLab

AUG-2021 Updates

Android Application Updates

SVE-2021-21443 (CVE-2021-25445): Unprotected component vulnerability in Samsung Internet

Severity: High
Resolved Version: 14.2
Reported on: April 12, 2021
Description: Unprotected component vulnerability in Samsung Internet prior to version 14.2 allows untrusted application to access internal files in Samsung Internet.
Acknowledgement: Sayed Abdelhafiz

SVE-2021-20512 (CVE-2021-25446, CVE-2021-25447): Improper access control vulnerability in Smart Things

Severity: Moderate
Resolved Version: 1.7.67.25
Reported on: January 31, 2021
Description: Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted application to cause local file inclusion and arbitrary webpage loading in webview.
Acknowledgement: Antonio Arlia Ciombo

SVE-2021-21699 (CVE-2021-25448): Improper access control vulnerability in Smart Touch Call

Severity: Low
Resolved Version: 1.0.0.5
Reported on: May 5, 2021
Description: Improper access control vulnerability in Smart Touch Call prior to version 1.0.0.5 allows arbitrary webpage loading in webview.
Acknowledgement: Gregory DRAPERI

JUL-2021 Updates

Android Application Updates

SVE-2021-19694 (CVE-2021-25431): An improper access control vulnerability in Some function of Cameralyzer

Severity: Moderate
Resolved Version: 3.3.1042 in Android P(9.0), and 3.2.1041 in 3.2.x, 3.3.1040 in 3.3.x, 3.4.4210 in 3.4.x in Android Q(10.0)
Reported on: November 19, 2020
Description: Improper access control vulnerability in Cameralyzer prior to versions 3.3.1042 in Android P(9.0), and 3.2.1041 in 3.2.x, 3.3.1040 in 3.3.x, 3.4.4210 in 3.4.x in Android Q(10.0) and above allows untrusted applications to access some functions of Cameralyzer.
Acknowledgement: Yaoguang Chen of of Ant Security Light-Year Lab

SVE-2021-20635 (CVE-2021-25432): Information exposure vulnerability in Samsung Members

Severity: Moderate
Resolved Version: 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above
Reported on: February 9, 2021
Description: Information exposure vulnerability in Samsung Members prior to versions 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above allows untrusted applications to access chat data.
Acknowledgement: Antonio Arlia Ciombo

SVE-2021-20602 (CVE-2021-25438, CVE-2021-25439): Improper access control vulnerability in Samsung Members

Severity: Moderate
Resolved Version: 2.4.85.11 in Android O(8.1) and below, and 3.9.10.11 in Android P(9.0) and above
Reported on: February 5, 2021
Description: Improper access control vulnerability in Samsung Members prior to versions 3.9.10.11 in Android P(9.0) and above, and 2.4.85.11 in Android O(8.1) and below allows untrusted applications to cause local file inclusion in webview.
Acknowledgement: Antonio Arlia Ciombo

SVE-2021-20722 (CVE-2021-25440): An improper access control vulnerability in Some function of FactoryCameraFB

Severity: High
Resolved Version: 3.4.74
Reported on: February 16, 2021
Description: Improper access control vulnerability in FactoryCameraFB prior to version 3.4.74 allows untrusted applications to access arbitrary files with an escalated privilege.
Acknowledgement: Sergey Toshin of Oversecured Inc

SVE-2021-20801 (CVE-2021-25441): Improper input validation vulnerability in AR Emoji Editor

Severity: Moderate
Resolved Version: 4.4.03.5 in Android Q(10.0) and above
Reported on: February 22, 2021
Description: Improper input validation vulnerability in AR Emoji Editor prior to version 4.4.03.5 in Android Q(10.0) and above allows untrusted applications to access arbitrary files with an escalated privilege.
Acknowledgement: hard_______

SVE-2021-19615 (CVE-2021-25442): Improper MDM policy management vulnerability in KME module

Severity: High
Resolved Version: KCS 1.39
Reported on: November 10, 2020
Description: Improper MDM policy management vulnerability in KME module prior to KCS version 1.39 allows MDM users to bypass Knox Manage authentication.
Acknowledgement: Aakash Kumar

Wearable Updates

SVE-2021-19702 (CVE-2021-25433): Improper authorization vulnerability in Tizen factory reset policy

Severity: Low
Affected devices: Galaxy Watch, Galaxy Watch3, Galaxy Watch Active, Galaxy Watch Active2
Resolved Version: Firmware update JUL-2021 Release
Reported on: November 20, 2020
Description: Improper authorization vulnerability in Tizen factory reset policy prior to Firmware update JUL-2021 Release allows untrusted applications to perform factory reset using dbus signal.
Acknowledgement: BoB WatchOver

SVE-2021-19703 (CVE-2021-25434): Improper input validation vulnerability in Tizen bootloader

Severity: High
Affected devices: Galaxy Watch, Galaxy Watch3, Galaxy Watch Active, Galaxy Watch Active2
Resolved Version: Firmware update JUL-2021 Release
Reported on: November 20, 2020
Description: Improper input validation vulnerability in Tizen bootloader prior to Firmware update JUL-2021 Release allows arbitrary code execution using param partition in wireless firmware download mode.
Acknowledgement: BoB WatchOver

SVE-2021-19705 (CVE-2021-25435): Improper input validation vulnerability in Tizen bootloader

Severity: High
Affected devices: Galaxy Watch, Galaxy Watch3, Galaxy Watch Active, Galaxy Watch Active2
Resolved Version: Firmware update JUL-2021 Release
Reported on: November 21, 2020
Description: Improper input validation vulnerability in Tizen bootloader prior to Firmware update JUL-2021 Release allows arbitrary code execution using recovery partition in wireless firmware download mode.
Acknowledgement: BoB WatchOver

SVE-2021-19310 (CVE-2021-25436): Improper file validation vulnerability in Tizen FOTA service

Severity: High
Affected devices: Galaxy Watch, Galaxy Watch3, Galaxy Watch Active, Galaxy Watch Active2
Resolved Version: Firmware update JUL-2021 Release
Reported on: October 17, 2020
Description: Improper input validation vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows arbitrary code execution via Samsung Accessory Protocol.
Acknowledgement: WatchOver (Soomin Shin, Minwoo Kim, Seungmin Lee, Jungyoon Lee, Yeonghyeon Cha, Donghun Seo)

SVE-2021-19311 (CVE-2021-25437): Improper access control vulnerability in Tizen FOTA service

Severity: High
Affected devices: Galaxy Watch, Galaxy Watch3, Galaxy Watch Active, Galaxy Watch Active2
Resolved Version: Firmware update JUL-2021 Release
Reported on: October 17, 2020
Description: Improper access control vulnerability in Tizen FOTA service prior to Firmware update JUL-2021 Release allows attacker to arbitrary code execution by replacing FOTA update file.
Acknowledgement: WatchOver (Soomin Shin, Minwoo Kim, Seungmin Lee, Jungyoon Lee, Yeonghyeon Cha, Donghun Seo)

JUN-2021 Updates

Android Application Updates

SVE-2021-20922 (CVE-2021-25418): Improper component protection vulnerability in Samsung Internet

Severity: Moderate
Resolved Version: 14.0.1.62
Reported on: March 4, 2021
Description: Improper component protection vulnerability in Samsung Internet prior to version 14.0.1.62 allows untrusted applications to execute arbitrary activity in specific condition.
Acknowledgement: Dawn Security Lab, JD.com

SVE-2021-21127 (CVE-2021-25419): Non-compliance of recommended secure coding scheme in Samsung Internet

Severity: Low
Resolved Version: 14.0.1.62
Reported on: March 20, 2021
Description: Non-compliance of recommended secure coding scheme in Samsung Internet prior to version 14.0.1.62 allows attackers to display fake URL in address bar via phising URL link.
Acknowledgement: Abdulla Aldoseri

SVE-2021-20736 (CVE-2021-25420, CVE-2021-25421, CVE-2021-25422, CVE-2021-25423): Wi-Fi password exposure

Severity: Moderate
Resolved Version: Galaxy Watch PlugIn 2.2.05.21033151, Galaxy Watch3 PlugIn 2.2.09.21033151,Watch Active PlugIn 2.2.07.21033151, Watch Active2 PlugIn 2.2.08.21033151
Reported on: February 18, 2021
Description: Improper log management vulnerability in Wearable Device Plugins allows attacker with log permissions to leak Wi-Fi password connected to the user smartphone within log.
Acknowledgement: Andr. Ess

SVE-2021-21224 (CVE-2021-25425): Read internal cache data in Samsung Health

Severity: Moderate
Resolved Version: 6.17
Reported on: March 26, 2021
Description: Improper check vulnerability in Samsung Health prior to version 6.17 allows attacker to read internal cache data via exported component.
Acknowledgement: Dzmitry Lukyanenka

Wearable Updates

SVE-2021-19928 (CVE-2021-25424): Improper Bluetooth pairing mode in Tizen device

Severity: High
Affected devices: Galaxy Watch, Galaxy Watch3, Galaxy Watch Active, Galaxy Watch Active2
Resolved Version: Firmware update JUN-2021 Release
Reported on: December 14, 2020
Description: Improper authentication vulnerability in Tizen bluetooth-frwk prior to Firmware update JUN-2021 Release allows bluetooth attacker to take over the user's bluetooth device without user awareness.
Acknowledgement: BoB WatchOver

MAY-2021 Updates

SVE-2021-20805 (CVE-2021-25405): An improper access control vulnerability in Samsung Notes

Severity: Moderate
Resolved Version: 4.2.04.27
Reported on: February 24, 2021
Description: An improper access control vulnerability in ScreenOffActivity in Samsung Notes prior to version 4.2.04.27 allows untrusted applications to access local files.
Acknowledgement: hard_______

SVE-2021-20777 (CVE-2021-25398): Intent redirection in Bixby Voice

Severity: Moderate
Resolved Version: 3.1.12
Reported on: February 22, 2021
Description: Intent redirection vulnerability in Bixby Voice prior to version 3.1.12 allows attacker to access contacts.
Acknowledgement: hard_______

SVE-2021-20482 (CVE-2021-25399): Improper fileprovider settings in Smart Manager

Severity: High
Resolved Version: 11.0.05.0
Reported on: January 28,2021
Description: Improper fileprovider setting in Smart Manager prior to version 11.0.05.0 allows attacker to access the file with system privilege.
Acknowledgement: Xu Liangjun

SVE-2021-20631 (CVE-2021-25400): Intent redirection in Samsung Internet

Severity: Moderate
Resolved Version: 14.0.1.20
Reported on: February 9, 2021
Description: Intent redirection vulnerability in Samsung Internet prior to version 14.0.1.20 allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin of Oversecured Inc

SVE-2021-20612 (CVE-2021-25401): Intent redirection in Samsung Health

Severity: Moderate
Resolved Version: 6.16
Reported on: February 6, 2021
Description: Intent redirection vulnerability in Samsung Health prior to version 6.16 allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin of Oversecured Inc

SVE-2021-20188 (CVE-2021-25402): Information exposure vulnerability in Samsung Notes

Severity: Low
Resolved Version: 4.2.04.27
Reported on: January 5, 2021
Description: Information Exposure vulnerability in Samsung Notes prior to version 4.2.04.27 allows attacker to access s pen latency information.

SVE-2021-20810 (CVE-2021-25403): Intent redirection vulnerability in Samsung Account

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) below, and 12.2.0.9 in Android Q(10.0) above
Reported on: February 24, 2021
Description: Intent redirection vulnerability in Samsung Account prior to version 10.8.0.4 in Android P(9.0) and below, and 12.2.0.9 in Android Q(10.0) and above allows attacker to access contacts and file provider using SettingWebView component.
Acknowledgement: hard_______

SVE-2021-20542 (CVE-2021-25404): Information Exposure vulnerability in SmartThings

Severity: Moderate
Resolved Version: 1.7.64.21
Reported on: February 2, 2021
Description: Information Exposure vulnerability in SmartThings prior to version 1.7.64.21 allows attacker to access user information via log.
Acknowledgement: Sergey Toshin of Oversecured Inc

SVE-2021-19789 (CVE-2021-25406): Unauthorized access to device's serial number

Severity: Low
Resolved Version: 2.2.05.21033151
Reported on: November 30, 2020
Description: Information Exposure vulnerability in Gear S Plugin prior to version 2.2.05.20122441 allows attacker to access connected BT device information.
Acknowledgement: Andr. Ess

APR-2021 Updates

SVE-2021-19144 (CVE-2021-25374): Samsung Members

Severity: High
Resolved Version: 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above
Reported on: October 4, 2020
Description: An improper authorization vulnerability in Samsung Members “samsungrewards” scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.
Acknowledgement: Ken Gannon

SVE-2021-17083 (CVE-2021-25375): Samsung Email

Severity: High
Resolved Version: 6.1.41.0
Reported on: March 18, 2020
Description: Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment.
Acknowledgement: Juno Im

SVE-2021-18085 (CVE-2021-25376): Samsung Email

Severity: Moderate
Resolved Version: 6.1.41.0
Reported on: June 17, 2020
Description: An improper synchronization logic in Samsung Email prior to version 6.1.41.0 can leak messages in certain mailbox in plain text when STARTTLS negotiation is failed.
Acknowledgement: Damian Poddebniak, Fabian Ising

SVE-2021-20637 (CVE-2021-25377): Samsung Experience Service

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above
Reported on: February 9, 2021
Description: Intent redirection in Samsung Experience Service versions 10.8.0.4 in Android P(9.0) below, and 12.2.0.5 in Android Q(10.0) above allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin of Oversecured Inc

SVE-2021-20386 (CVE-2021-25378): SmartThings

Severity: Low
Resolved Version: 1.7.63.6
Reported on: January 19, 2021
Description: Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service.
Acknowledgement: Zhongquan Li ( CytQ) of Xiaomi AIoT Security Lab

SVE-2021-20601 (CVE-2021-25379): Gallery

Severity: Moderate
Resolved Version: 5.4.16.1
Reported on: February 5, 2021
Description: Intent redirection vulnerability in Gallery prior to version 5.4.16.1 allows attacker to execute privileged action.
Acknowledgement: Sergey Toshin of Oversecured Inc

SVE-2021-19830 (CVE-2021-25380): Bixby

Severity: Moderate
Resolved Version: 3.0.53.02
Reported on: December 5, 2020
Description: Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user.
Acknowledgement: Gregory DRAPERI

SVE-2021-19503 (CVE-2021-25381): Samsung Account

Severity: Moderate
Resolved Version: 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above
Reported on: November 2, 2020
Description: Using unsafe PendingIntent in Samsung Account in versions 10.8.0.4 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0) and above allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______

MAR-2021 Updates

SVE-2021-19656 (CVE-2021-25373): Customization Service

Severity: Moderate
Resolved Version: 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0)
Reported on: November 14, 2020
Description: Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______

FEB-2021 Updates

SVE-2021-19543 (CVE-2021-25352): Bixby Voice

Severity: Moderate
Resolved Version: 3.0.52.14
Reported on: November 4, 2020
Description: A vulnerability using PendingIntent with implicit intent in Bixby Voice prior to version 3.0.52.14 allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: hard_______

SVE-2021-19505 (CVE-2021-25354): Samsung Internet

Severity: Moderate
Resolved Version: 13.2.1.46
Reported on: November 3, 2020
Description: Improper input check in Samsung Internet prior to version 13.2.1.46 allows attackers to launch non-exported activity in Samsung Browser via malicious deeplink.
Acknowledgement: Ken Gannon

SVE-2021-18156 (CVE-2021-25353): Galaxy Themes

Severity: Moderate
Resolved Version: 5.2.00.1215
Reported on: June 25, 2020
Description: Using empty PendingIntent in Galaxy Themes prior to version 5.2.00.1215 allows local attackers to read/write private file directories of Galaxy Themes application without permission via hijacking the PendingIntent.
Acknowledgement: hard_______

SVE-2021-19622 (CVE-2021-25349): Slow Motion Editor

Severity: Moderate
Resolved Version: 3.5.18.5 in Android Q(10.0)
Reported on: November 10, 2020
Description: Using unsafe PendingIntent in Slow Motion Editor prior to version 3.5.18.5 allows local attackers unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______

SVE-2021-18944 (CVE-2021-25350): Samsung Account

Severity: Moderate
Resolved Version: 12.1.1.3 in Android Q(10.0)
Reported on: September 16, 2020
Description: Information Exposure vulnerability in Samsung Account prior to version 12.1.1.3 allows physically proximate attackers to access user information via log.
Acknowledgement: haiping

SVE-2021-18858 (CVE-2021-25351): Samsung Account

Severity: Moderate
Resolved Version: 10.7.07 in Android P(9.0) and below, and 12.1.1.3 in Android Q(10.0)
Reported on: September 10, 2020
Description: Improper Access Control in EmailValidationView in Samsung Account prior to version 10.7.0.7 and 12.1.1.3 allows physically proximate attackers to log out user account on device without user password.
Acknowledgement: Alexey Dorogin

SVE-2021-19533 (CVE-2021-25355): Samsung Notes

Severity: Moderate
Resolved Version: 4.2.00.22
Reported on: November 3, 2020
Description: Using unsafe PendingIntent in Samsung Notes prior to version 4.2.00.22 allows local attackers unauthorized action without permission via hijacking the PendingIntent.
Acknowledgement: hard_______

SVE-2021-18723 (CVE-2021-25366): Samsung Internet

Severity: Low
Resolved Version: 13.2.1.70
Reported on: August 27, 2020
Description: Improper access control in Samsung Internet prior to version 13.2.1.70 allows physically proximate attackers to bypass the secret mode's authentication.
Acknowledgement: Harsh Tyagi

SVE-2021-19506 (CVE-2021-25367): Samsung Notes

Severity: Low
Resolved Version: 4.2.00.22
Reported on: November 3, 2020
Description: Path Traversal vulnerability in Samsung Notes prior to version 4.2.00.22 allows attackers to access local files without permission.
Acknowledgement: Ken Gannon

SVE-2021-19530 (CVE-2021-25368): Samsung Cloud

Severity: Low
Resolved Version: 4.7.0.3
Reported on: November 3, 2020
Description: Hijacking vulnerability in Samsung Cloud prior to version 4.7.0.3 allows attackers to intercept when the provider is executed.
Acknowledgement: Zhongquan Li

JAN-2021 Updates

SVE-2021-19532 (CVE-2021-25341): S Assistant

Severity: Low
Resolved Version: 6.5.01.22
Reported on: November 3, 2020
Description: Calling of non-existent provider in S Assistant prior to version 6.5.01.22 allows unauthorized actions including denial of service attack by hijacking the provider.
Acknowledgement: Zhongquan Li @ Xiaomi AIoT Security Lab

SVE-2021-19474 (CVE-2021-25348): Samsung Internet

Severity: Low
Resolved Version: 13.0.1.60
Reported on: October 30, 2020
Description: Improper permission grant check in Samsung Internet prior to version 13.0.1.60 allows access to files in internal storage without authorized STORAGE permission.
Acknowledgement: Abdulla Aldoseri

SVE-2021-18825 (CVE-2021-25331, CVE-2021-25332, CVE-2021-25333): Samsung Pay Mini

Severity: Moderate
Resolved Version: 4.0.14
Reported on: September 7, 2020
Description: Two moderate vulnerabilities and one low vulnerability with improper access control in Samsung Pay mini application prior to v4.0.14 allows unauthorized access to sensitive information over the lockscreen in specific condition.
Acknowledgement: Yogesh Anil Tantak

SVE-2021-18629 (CVE-2021-25342, CVE-2021-25343): SMP SDK, Samsung Members

Severity: Low
Resolved Version: SMP SDK[3.0.9], Samsung Members[2.4.81.13 in Android O(8.1) and below, and 3.8.00.13 in Android P(9.0) and above]
Reported on: August 11, 2020
Description: Calling of non-existent provider in Samsung Members prior to version 2.4.81.13 (in Android O(8.1) and below) and 3.8.00.13 (in Android P(9.0) and above) allows unauthorized actions including denial of service attack by hijacking the provider.
Acknowledgement: mykola