close

Samsung Mobile Security and Cookies

Our site uses essential cookies only. You can read our Privacy Policy and Cookie Policy for more information.

close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text
Home>Security Updates>Other Updates

Security Updates

2022Open selected window by year

Close selected window by year
January February March April May June July August September October November December

We truly appreciate the following security researchers for helping us improve the security of our mobile applications, wearable devices and personal computers. We would like to thank them for disclosing the vulnerability reports responsibly and working with us throughout the process.

Please note that while we are doing our best to release the security patches as soon as possible to all applicable devices and services, release time of security patches may vary depending on the device version and models or service versions.


Android Applications Updates

SVE-2022-1269(CVE-2022-39910): Improper access control in Samsung pass

Severity: Moderate
Resolved version: 4.0.06.7
Reported on: May 19, 2022
Description: Improper access control vulnerability in Samsung Pass prior to version 4.0.06.7 allow physical attackers to access data of Samsung Pass on a certain state of an unlocked device using pop-up view.
The patch adds defense logic on pop-up view usage scenario.
Acknowledgement: Harsh Tyagi


SVE-2022-2389(CVE-2022-39915): Improper access control vulnerability in Calendar

Severity: Moderate
Resolved versions: 11.6.08.0 in Android Q(10), 12.2.11.3000 in Android R(11), 12.3.07.2000 in Android S(12), and 12.4.02.0 in Android T(13)
Reported on: September 29, 2022
Description: Improper access control vulnerability in Calendar prior to versions 11.6.08.0 in Android Q(10), 12.2.11.3000 in Android R(11), 12.3.07.2000 in Android S(12), and 12.4.02.0 in Android T(13) allows attackers to access sensitive information via implicit intent.
The patch adds proper access control to use explicit intent.
Acknowledgement: Oversecured Inc


SVE-2022-2201(CVE-2022-39911): Improper Check or Handling of Exceptional Conditions in Samsung Pass

Severity: Moderate
Resolved version: 4.0.06.1
Reported on: September 11, 2022
Description: Improper check or handling of exceptional conditions vulnerability in Samsung Pass prior to version 4.0.06.1 allows attacker to access Samsung Pass.
The patch blocks the multi-window mode with the toast message.
Acknowledgement: Harsh Tyagi




PC Updates

SVE-2022-2040(CVE-2022-39909): Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager

Severity: Moderate
Resolved version: 2.1.221019.51
Reported on: August 24, 2022
Description: Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager prior to version 2.1.221019.51 allows local attackers to create arbitrary file using symbolic link.
The patch remove the unnecessary logic.
Acknowledgement: HeeChan Kim (@heegong123) of TeamH4C


Other Software Updates

SVE-2022-0480(CVE-2022-39912): Improper handling of insufficient permissions in PersonaManagerService

Severity: Moderate
Resolved version: Android T(13)
Reported on: March 2, 2022
Description: Improper handling of insufficient permissions vulnerability in setSecureFolderPolicy in PersonaManagerService prior to Android T(13) allows local attackers to set some setting value in Secure folder.
The patch adds proper permission for using the API.
Acknowledgement: Yousra Aafer


SVE-2022-0789(CVE-2022-39913): Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager

Severity: Moderate
Resolved version: Android T(13)
Reported on: March 29, 2022
Description: Exposure of Sensitive Information to an Unauthorized Actor in Persona Manager prior to Android T(13) allows local attacker to access user profiles information.
The patch removes the sensitive information of the profile.
Acknowledgement: Sergey Toshin


SVE-2022-1950(CVE-2022-39914): Exposure of Sensitive Information to an Unauthorized Actor in DisplayManagerService

Severity: Moderate
Resolved version: Android T(13)
Reported on: August 16, 2022
Description: Exposure of Sensitive Information from an Unauthorized Actor vulnerability in Samsung DisplayManagerService prior to Android T(13) allows local attacker to access connected DLNA device information.
The patch adds proper caller check logic.
Acknowledgement: Oversecured Inc

Android Applications Updates

SVE-2022-0776(CVE-2022-39890): Improper Authorization in Samsung Billing

Severity: Moderate
Resolved version: 5.0.56.0
Reported on: March 28, 2022
Description: Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information.
The patch block the sensitive information exposure.
Acknowledgement: Sergey Toshin


SVE-2022-1422(CVE-2022-39891): Heap overflow vulnerability in libsavsaudio.so in Editor Lite

Severity: Moderate
Resolved version: 4.0.41.3
Reported on: June 13, 2022
Description: Heap overflow vulnerability in parse_pce function in libsavsaudio.so in Editor Lite prior to version 4.0.41.3 allows attacker to get information.
The patch adds proper boundary check logic.
Acknowledgement: mart1n and zraxx


SVE-2022-1690(CVE-2022-39892): Improper access control in Samsung Pass via keep open feature

Severity: Low
Resolved version: 4.0.05.1
Reported on: July 15, 2022
Description: Improper access control in Samsung Pass prior to version 4.0.05.1 allows attackers to unauthenticated access via keep open feature.
The patch adds proper authentication logic during keep open feature enabled.
Acknowledgement: Harsh Tyagi


SVE-2022-1745(CVE-2022-39893): Sensitive information exposure in Galaxy Buds Pro Manager

Severity: Moderate
Resolved version: 4.1.22092751
Reported on: July 21, 2022
Description: Sensitive information exposure vulnerability in FmmBaseModel in Galaxy Buds Pro Manage prior to version 4.1.22092751 allows local attackers with log access permission to get device identifier data through device log.
The patch fixes improper logging.
Acknowledgement: Zhang Qing


SVE-2022-1830(CVE-2022-39889): Improper access control vulnerability in GalaxyWatch4Plugin

Severity: Moderate
Resolved version: 2.2.11.22101351 and 2.2.12.22101351
Reported on: August 1, 2022
Description: Improper access control vulnerability in GalaxyWatch4Plugin prior to versions 2.2.11.22101351 and 2.2.12.22101351 allows attackers to access wearable device information.
The patch adds proper caller check logic.
Acknowledgement: Stealth Assassin


Android Applications Updates

SVE-2022-0075(CVE-2022-39857): Improper access control in FactoryCameraFB

Severity: High
Resolved version: 3.5.51
Reported on: January 6, 2022
Description: Improper access control vulnerability in CameraTestActivity in FactoryCameraFB prior to version 3.5.51 allows attackers to access broadcasting Intent as system uid privilege.
The patch adds proper caller check logic.
Acknowledgement: Dawn Security Lab, JD


SVE-2022-0311(CVE-2022-39858): Path traversal vulnerability in FactoryCamera

Severity: High
Resolved version: 3.5.51
Reported on: February 7, 2022
Description: Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege.
The patch adds proper validation logic to prevent arbitrary file write.
Acknowledgement: Sergey Toshin


SVE-2022-0697(CVE-2022-39859): Implicit intent hijacking vulnerability in UPHelper library

Severity: Moderate
Resolved version: 3.0.12
Reported on: March 22, 2022
Description: Implicit intent hijacking vulnerability in UPHelper library prior to version 3.0.12 allows attackers to access sensitive information via implicit intent.
The patch changes implicit intent to explicit intent.
Acknowledgement: Sergey Toshin


SVE-2022-0754(CVE-2022-39860): Improper access control vulnerability in Quick Share

Severity: Moderate
Resolved version: 13.2.3.5
Reported on: March 26, 2022
Description: Improper access control vulnerability in Quick Share prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast.
The patch adds proper access control.
Acknowledgement: Sergey Toshin


SVE-2022-0808(CVE-2022-39861): Unprotected Receiver in FactoryCamera

Severity: Moderate
Resolved version: 3.5.51
Reported on: March 31, 2022
Description: Unprotected Receiver in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to record video without camera privilege.
The patch restricts triggering of user binary.
Acknowledgement: Sergey Toshin


SVE-2022-0881(CVE-2022-39862): Improper authorization in Dynamic Lockscreen

Severity: Moderate
Resolved version: 3.3.03.66
Reported on: April 7, 2022
Description: Improper authorization in Dynamic Lockscreen prior to SMR Sep-2022 Release 1 in Android R(11) and 3.3.03.66 in Android S(12) allows unauthorized use of javascript interface api.
The patch removes unused code.
Acknowledgement: Dawn Security Lab, JDcom


SVE-2022-0904(CVE-2022-39863): Intent redirection vulnerability in Samsung Account

Severity: Moderate
Resolved version: 13.5.01.3
Reported on: April 12, 2022
Description: Intent redirection vulnerability in Samsung Account prior to version 13.5.01.3 allows attackers to access content providers without permission.
The patch deletes intent data in activity's result.
Acknowledgement: Sergey Toshin


SVE-2022-0967(CVE-2022-39864): Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings

Severity: Moderate
Resolved version: 1.7.89.25
Reported on: April 19, 2022
Description: Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.
The patch adds proper access control.
Acknowledgement: Sergey Toshin


SVE-2022-0968(CVE-2022-39871, CVE-2022-39870, CVE-2022-39869, CVE-2022-39868, CVE-2022-39867, CVE-2022-39866, CVE-2022-39865): Improper access control vulnerabilities in SmartThings

Severity: Moderate
Resolved version: 1.7.89.0
Reported on: April 19, 2022
Description: Improper access control vulnerabilities in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.
The patch adds proper access control.
Acknowledgement: Sergey Toshin


SVE-2022-1181(CVE-2022-39872): Leak of MAC address of connected Bluetooth device in ShareLive

Severity: Moderate
Resolved version: 13.2.03.5
Reported on: May 6, 2022
Description: Improper restriction of broadcasting Intent in ShareLive prior to version 13.2.03.5 leaks MAC address of the connected Bluetooth device.
The patch adds proper permission in ShareLive to prevent unauthorized access.
Acknowledgement: Jenny Zhang


SVE-2022-1408(CVE-2022-39873): Improper authorization vulnerability in Samsung Internet

Severity: Moderate
Resolved version: 18.0.4.14
Reported on: June 11, 2022
Description: Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication.
The patch fixes Samsung Internet to enforce authentication when accessing secret mode.
Acknowledgement: Harsh Tyagi


SVE-2022-1603(CVE-2022-39875,CVE-2022-39874): Improper access control vulnerabilities in Samsung Account

Severity: Moderate
Resolved version: 13.5.01.3
Reported on: July 3, 2022
Description: Improper access control vulnerabilities in Samsung Account prior to version 13.5.01.3 allows attackers to force unauthorized logout.
The patch adds proper access control.
Acknowledgement: hsia.angsh


SVE-2022-1734(CVE-2022-39876): Leak of IMEI in PushRegIdUpdateClient of SReminder

Severity: Moderate
Resolved version: 8.2.01.13
Reported on: July 21, 2022
Description: Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI.
The patch removes the log that prints IMEI.
Acknowledgement: hsia.angsh


SVE-2022-1749(CVE-2022-39877): Improper access control in Group Sharing

Severity: Moderate
Resolved versions: 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below
Reported on: July 21, 2022
Description: Improper access control vulnerability in ProfileSharingAccount in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to identify the device.
The patch adds proper access control check logic for broadcasting data.
Acknowledgement: Zhang Qing


SVE-2022-1751(CVE-2022-39878): Improper access control vulnerability in Samsung Checkout

Severity: Moderate
Resolved version: 5.0.55.3
Reported on: July 21, 2022
Description: Improper access control vulnerability in Samsung Checkout prior to version 5.0.55.3 allows attackers to access sensitive information via implicit intent broadcast.
The patch deletes vulnerable legacy codes.
Acknowledgement: Zhang Qing


Android Applications Updates

SVE-2022-0221(CVE-2022-36851): Improper access control in Samsung pass

Severity: Moderate
Resolved version: 4.0.03.1
Reported on: January 25, 2022
Description: Improper access control vulnerability in Samsung Pass prior to version 4.0.03.1 allow physical attackers to access data of Samsung Pass on a certain state of an unlocked device.
The patch adds defense logic on recent app usage scenario.
Acknowledgement: Harsh Tyagi


SVE-2022-0323(CVE-2022-36864): Improper access control and intent redirection in Samsung Email

Severity: Moderate
Resolved version: 6.1.70.20
Reported on: February 9, 2022
Description: Improper access control and intent redirection in Samsung Email prior to version 6.1.70.20 allows attacker to access specific formatted file and execute privileged behavior.
The patch adds proper permission check in Samsung Email.
Acknowledgement: Dawuge of Pangu Team


SVE-2022-0385(CVE-2022-36869): Improper access control in Contacts Provider

Severity: Moderate
Resolved version: 12.7.59
Reported on: February 18, 2022
Description: Improper access control vulnerability in ContactsDumpActivity of Contacts Provider prior to version 12.7.59 allows attacker to access the file without permission.
The patch blocked the access to ContactsdumpActivity.
Acknowledgement: Harsh Tyagi


SVE-2022-0764(CVE-2022-36865): Improper access control vulnerability in Group Sharing

Severity: Moderate
Resolved versions: 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below
Reported on: March 27, 2022
Description: Improper access control in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to access device information.
The patch adds proper caller check logic to prevent unauthorized access.
Acknowledgement: Sergey Toshin


SVE-2022-0765(CVE-2022-36866): Improper access control in Group Sharing

Severity: Moderate
Resolved versions: 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below
Reported on: March 27, 2022
Description: Improper access control vulnerability in Broadcaster in Group Sharing prior to versions 13.0.6.15 in Android S(12), 13.0.6.14 in Android R(11) and below allows attackers to identify the device.
The patch adds proper access control check logic for broadcasting data.
Acknowledgement: Sergey Toshin


SVE-2022-0770(CVE-2022-36867): Improper access control vulnerability in Editor Lite

Severity: Moderate
Resolved version: 4.0.40.14
Reported on: March 28, 2022
Description: Improper access control vulnerability in Editor Lite prior to version 4.0.40.14 allows attackers to access sensitive information.
The patch adds proper access control.
Acknowledgement: Sergey Toshin


SVE-2022-0973(CVE-2022-36872, CVE-2022-36871, CVE-2022-36870): Pending Intent hijacking in Samsung Pay

Severity: Moderate
Resolved versions: 5.0.63 for KR and 5.1.47 for Global
Reported on: April 19, 2022
Description: Pending Intent hijacking vulnerability in Samsung Pay prior to versions 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent.
The patch addresses the Intent in Samsung Pay to prevent unprivileged access.
Acknowledgement: Sergey Toshin


SVE-2022-0974(CVE-2022-36873): Leak of MAC address of connected Bluetooth device in Water plugin

Severity: Moderate
Resolved version: 2.2.11.22081151
Reported on: April 19, 2022
Description: Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of Water plugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device.
The patch modifies the log so that it cannot be read without permission.
Acknowledgement: Stealth assassin


SVE-2022-0980(CVE-2022-36874): Improper Handling of Insufficient Permissions or Privileges vulnerability in Water plugin

Severity: Moderate
Resolved version: 2.2.11.22040751
Reported on: April 20, 2022
Description: Improper Handling of Insufficient Permissions or Privileges vulnerability in Water plugin prior to version 2.2.11.22040751 allows attacker to access device IMEI and Serial number.
The patch adds proper permission check in Water plugin to prevent unauthorized access.
Acknowledgement: Stealth assassin


SVE-2022-1031(CVE-2022-36875): Improper restriction of broadcasting Intent in Water plugin

Severity: Moderate
Resolved version: 2.2.11.22081151
Reported on: April 25, 2022
Description: Improper restriction of broadcasting Intent in SaWebViewRelayActivity of Water plugin prior to version 2.2.11.22081151 allows attacker to access the file without permission.
The patch adds proper validation logic to prevent arbitrary files access.
Acknowledgement: Stealth assassin


SVE-2022-1270(CVE-2022-36876): Improper authorization in Samsung Pass

Severity: Moderate
Resolved version: 4.0.04.10
Reported on: May 19, 2022
Description: Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication.
The patch adds proper user authentication.
Acknowledgement: Harsh Tyagi


SVE-2022-1337(CVE-2022-36859): Improper input validation vulnerability in SmartTag Plugin

Severity: High
Resolved version: 1.2.21-6
Reported on: May 27, 2022
Description: Improper input validation vulnerability in SmartTag Plugin prior to version 1.2.21-6 allows privileged attackers to trigger a XSS on a victim's devices.
The patch adds the proper validation of input data.
Acknowledgement: Martin Heyden


SVE-2022-1588(CVE-2022-36877): Exposure of Sensitive Information in Samsung Members

Severity: Moderate
Resolved versions: 4.3.00.11 in Global and 14.0.02.4 in China
Reported on: June 30, 2022
Description: Exposure of Sensitive Information in FaqSymptomCardViewModel in Samsung Members prior to versions 4.3.00.11 in Global and 14.0.02.4 in China allows local attackers to access device identification via log.
The patch fixes improper logging.
Acknowledgement: hsia.angsh


SVE-2022-1735(CVE-2022-36878): Exposure of Sensitive Information vulnerability in Find My Mobile

Severity: Moderate
Resolved version: 7.2.25.14
Reported on: July 21, 2022
Description: Exposure of Sensitive Information in Find My Mobile prior to version 7.2.25.14 allows local attacker to access IMEI via log.
The patch fixes improper logging.
Acknowledgement: hsia.angsh


PC Updates

SVE-2022-1841(CVE-2022-39846): DLL hijacking vulnerability in Smart Switch PC

Severity: Moderate
Resolved version: 4.3.22083_3
Reported on: August 2, 2022
Description: DLL hijacking vulnerability in Smart Switch PC prior to version 4.3.22083_3 allows attacker to execute arbitrary code.
The patch remove the directory path in log.
Acknowledgement: HeeChan Kim (@heegong123) of TeamH4C


SVE-2022-1770(CVE-2022-39845): Possible to delete arbitrary directory vulnerability in Samsung Kies

Severity: Moderate
Resolved version: 2.6.4.22074
Reported on: July 23, 2022
Description: Improper validation of integrity check vulnerability in Samsung Kies prior to version 2.6.4.22074 allows local attackers to delete arbitrary directory using directory junction.
The patch prevents directory junction in the directory used during installation process.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


SVE-2022-1647(CVE-2022-39844): Possible to delete arbitrary directory vulnerability in Smart Switch PC

Severity: Moderate
Resolved version: 4.3.22083
Reported on: July 10, 2022
Description: Improper validation of integrity check vulnerability in Smart Switch PC prior to version 4.3.22083 allows local attackers to delete arbitrary directory using directory junction.
The patch prevents directory junction in the directory used during installation process.
Acknowledgement: ycdxsb of VARAS@IIE


Android Applications Updates

SVE-2022-1288(CVE-2022-36835): Implicit intent hijacking vulnerability in Samsung Internet Browser

Severity: Moderate
Resolved version: 17.0.7.34
Reported on: May 21, 2022
Description: Implicit intent hijacking vulnerability in Samsung Internet Browser prior to version 17.0.7.34 allows attackers to access arbitrary files.
The patch changes implicit intent to explicit intent.
Acknowledgement: Oversecured Inc 


SVE-2022-0783(CVE-2022-36839): SQL injection vulnerability via IAPService in Samsung Checkout

Severity: Moderate
Resolved version: 5.0.53.1
Reported on: March 29, 2022
Description: SQL injection vulnerability via IAPService in Samsung Checkout prior to version 5.0.53.1 allows attackers to access IAP information.
The patch adds validation code to prevent SQL injection.
Acknowledgement: Sergey Toshin of Oversecured Inc 


SVE-2022-0807(CVE-2022-36832): Improper access control in Cameralyzer

Severity: Moderate
Resolved versions: 3.2.22, 3.3.22, 3.4.22 and 3.5.51
Reported on: March 31, 2022
Description: Improper access control vulnerability in WebApp in Cameralyzer prior to versions 3.2.22, 3.3.22, 3.4.22 and 3.5.51 allows attackers to access external storage as Cameralyzer privilege.
The patch adds proper caller check logic.
Acknowledgement: Sergey Toshin of Oversecured Inc 


SVE-2022-0752(CVE-2022-36833): Improper Privilege Management vulnerability in Game Optimizing Service

Severity: High
Resolved versions: 3.3.04.0 in Android Q(10), and 3.5.04.8 in Android R(11) and above
Reported on: March 26, 2022
Description: Improper Privilege Management vulnerability in Game Optimizing Service prior to versions 3.3.04.0 in Android Q(10), and 3.5.04.8 in Android R(11) and above allows local attacker to execute hidden function for developer by changing package name.
The patch adds the proper validation of package.
Acknowledgement: Sergey Toshin of Oversecured Inc 


SVE-2022-0860(CVE-2022-36834): Exposure of Sensitive Information vulnerability in Game Launcher

Severity: Moderate
Resolved version: 6.0.07
Reported on: April 6, 2022
Description: Exposure of Sensitive Information vulnerability in Game Launcher prior to version 6.0.07 allows local attacker to access app data with user interaction.
The patch changes implicit intent to explicit intent.
Acknowledgement: Sergey Toshin of Oversecured Inc 


SVE-2022-0926(CVE-2022-36836): Unprotected provider in Charm by Samsung

Severity: Moderate
Resolved version: 1.2.3
Reported on: April 15, 2022
Description: Unprotected provider vulnerability in Charm by Samsung prior to version 1.2.3 allows attackers to read connection state without permission.
The patch adds proper permission for vulnerable provider.
Acknowledgement: Sergey Toshin of Oversecured Inc 


SVE-2022-0927(CVE-2022-36830, CVE-2022-36829, CVE-2022-33734, CVE-2022-33733): Sensitive information exposure in Charm by Samsung

Severity: Moderate
Resolved version: 1.2.3
Reported on: April 15, 2022
Description: Sensitive information exposure in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission.
The patch adds proper permission to prevent unprivileged access.
Acknowledgement: Sergey Toshin of Oversecured Inc 


SVE-2022-0929(CVE-2022-36837): Intent redirection vulnerability in Samsung email

Severity: Moderate
Resolved version: 6.1.70.20
Reported on: April 15, 2022
Description: Intent redirection vulnerability using implicit intent in Samsung email prior to version 6.1.70.20 allows attacker to get sensitive information.
The patch deletes the implicit intent.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0947(CVE-2022-36838): Implicit intent hijacking in Galaxy Wearable

Severity: Moderate
Resolved version: 2.2.50
Reported on: April 18, 2022
Description: Implicit intent hijacking vulnerability in Galaxy Wearable prior to version 2.2.50 allows attacker to get sensitive information.
The patch changes implicit intent to explicit intent.
Acknowledgement: Sergey Toshin of Oversecured Inc 


SVE-2022-0983(CVE-2022-36831): Path traversal vulnerability in Samsung Notes

Severity: Moderate
Resolved version: 4.3.14.39
Reported on: April 21, 2022
Description: Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission.
The patch adds proper validation logic to prevent path traversal.
Acknowledgement: Sergey Toshin of Oversecured Inc 


PC Updates

SVE-2022-0855(CVE-2022-36840): DLL hijacking vulnerability in Samsung Update Setup program

Severity: Moderate
Resolved version: 2.2.9.50
Reported on: April 5, 2022
Description: DLL hijacking vulnerability in Samsung Update Setup prior to version 2.2.9.50 allows attackers to execute arbitrary code.
The patch changes API to prevent hijacking.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


Android Applications Updates

SVE-2022-0924 (CVE-2022-33706): After taking pictures while locked, physical attacker can access the pictures in Gallery using S pen

Severity: Moderate
Resolved version: 13.1.05.8
Reported on: April 15, 2022
Description: Improper access control vulnerability in Samsung Gallery prior to version 13.1.05.8 allows physical attackers to access the pictures using S Pen air gesture.
The patch prevents access by the S Pen air gesture in a locked device.
Acknowledgement: Martin Rusnák


SVE-2022-0825 (CVE-2022-33705): Information exposure in Calendar

Severity: Moderate
Resolved version: 12.3.05.10000
Reported on: April 02, 2022
Description: Information exposure in Calendar prior to version 12.3.05.10000 allows attacker to access calendar schedule without READ_CALENDAR permission.
The patch changes return data.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0867 (CVE-2022-33713): Implicit Intent hijacking in Samsung Cloud

Severity: Moderate
Resolved version: 5.2.0
Reported on: April 06, 2022
Description: Implicit Intent hijacking vulnerability in Samsung Cloud prior to version 5.2.0 allows attacker to get sensitive information.
The patch changes implicit intent to explicit intent.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0126 (CVE-2022-33707): Improper identifier creation logic in Find My Mobile

Severity: High
Resolved version: 7.2.24.12
Reported on: January 12, 2022
Description: Improper identifier creation logic in Find My Mobile prior to version 7.2.24.12 allows attacker to identify the device.
The patch modifies the identifier creation logic.
Acknowledgement: Alwen Tiu


SVE-2022-1578 (CVE-2022-33710,CVE-2022-33709,CVE-2022-33708): Improper input validation in Galaxy Store

Severity: High
Resolved version: 4.5.41.8
Reported on: June 28, 2022
Description: Improper input validation vulnerability in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.
The patch removes unused code.
Acknowledgement: Sergey Toshin of Oversecured Inc


PC Updates

SVE-2022-1099 (CVE-2022-33711): Possible to delete arbitrary directory vulnerability in Samsung USB Driver Installer

Severity: Moderate
Resolved version: 1.7.56.0
Reported on: May 01, 2022
Description: Improper validation of integrity check vulnerability in Samsung USB Driver Windows Installer for Mobile Phones prior to version 1.7.56.0 allows local attackers to delete arbitrary directory using directory junction.
The patch prevents directory junction in the directory used during installation process.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


Other Software Updates

SVE-2022-1185 (CVE-2022-33712): Intent redirection vulnerability using implicit intent in Camera

Severity: Moderate
Resolved version: 12.0.01.64 ,12.0.3.23, 12.0.0.98, 12.0.6.11, 12.0.3.19 in Android S(12)
Reported on: May 06, 2022
Description: Intent redirection vulnerability using implicit intent in Camera prior to versions 12.0.01.64 ,12.0.3.23, 12.0.0.98, 12.0.6.11, 12.0.3.19 in Android S(12) allows attacker to get sensitive information.
The patch changes implicit intent to explicit intent.
Acknowledgement: Sergey Toshin of Oversecured Inc

Android Application Updates


SVE-2021-24286 (CVE-2022-30730): Improper authorization in Samsung Pass

Severity: Moderate
Resolved Version: 4.0.00.33
Reported on: December 16, 2021
Description: Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to access account list without authentication.
The patch adds proper user authentication.
Acknowledgement: Harsh Tyagi 


SVE-2022-0220 (CVE-2022-30731): Possible to access arbitrary files with My File privilege

Severity: Moderate
Resolved Version: 13.1.00.193
Reported on: January 24, 2022
Description: Improper access control vulnerability in My Files prior to version 13.1.00.193 allows attackers to access arbitrary private files in My Files application.
The patch blocks access to the vulnerable component in My Files from external components.
Acknowledgement: Dawn Security Lab, JD


SVE-2022-0312 (CVE-2022-30749): Unauthorized addition of smart devices by bypassing login activity in Smart Things

Severity: Moderate
Resolved Version: 1.7.85.25
Reported on: February 07, 2022
Description: Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity.
The patch changes the config in Smart Things to prevent unprivileged access.
Acknowledgement: Shubham Nilkanth Metange


SVE-2022-0335 (CVE-2022-30732): Exposure of Sensitive Information vulnerability in Samsung Account

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 10, 2022
Description: Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.
The patch adds proper protection to prevent access to sensitive information.
Acknowledgement: Stealth Assassin


SVE-2022-0338 (CVE-2022-30733): Sensitive information exposure in Sign-in log in Samsung Account

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 10, 2022
Description: Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.
The patch deletes user id(phone number) in log.
Acknowledgement: Jenny ZJN


SVE-2022-0339 (CVE-2022-30734): Sensitive information exposure in Sign-out log in Samsung Account

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 10, 2022
Description: Sensitive information exposure in Sign-out log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.
The patch deletes user id(phone number) in log.
Acknowledgement: Jenny ZJN


SVE-2022-0340 (CVE-2022-30735): Improper privilege management vulnerability in Samsung Account

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 11, 2022
Description: Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the access_token without permission.
The patch removes improper caller check logic.
Acknowledgement: Stealth Assassin


SVE-2022-0370 (CVE-2022-30736): Improper privilege management vulnerability in Samsung Account

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 15, 2022
Description: Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the data of contact and gallery without permission.
The patch deletes sensitive data in activity's result.
Acknowledgement: Stealth Assassin


SVE-2022-0371 (CVE-2022-30737): Email  ID leak via implicit intent hijacking

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 15, 2022
Description: Implicit Intent hijacking vulnerability in Samsung Account prior to version 13.2.00.6 allows attackers to get email ID.
The patch changes implicit Intent to explicit Intent to prevent leak of email ID.
Acknowledgement: Stealth Assassin


SVE-2022-0377 (CVE-2022-30738): Improper check in Loader in Samsung Internet

Severity: Low
Resolved Version: 17.0.1.69
Reported on: February 17, 2022
Description: Improper check in Loader in Samsung Internet prior to 17.0.1.69 allows attackers to spoof address bar via executing script.
The patch update visible url on navigation state changed.
Acknowledgement: Narendra Bhati - Lead Pentester At Suma Soft Pvt Ltd India


SVE-2022-0384 (CVE-2022-30739): Improper privilege management vulnerability in Samsung Account

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 17, 2022
Description: Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get an user email or phone number with a normal level permission.
The patch adds proper caller signature check logic.
Acknowledgement: Stealth Assassin


SVE-2022-0479 (CVE-2022-30740): Possible to guess stored credit card number

Severity: Moderate
Resolved Version: 17.0.1.69 
Reported on: March 2, 2022
Description: Improper auto-fill algorithm in Samsung Internet prior to version 17.0.1.69 allows physical attackers to guess stored credit card numbers.
The patch fixes auto-fill algorithm of credit card number not to guess it with brute-force attack.
Acknowledgement: Jeremy Chatterson


SVE-2022-0721 (CVE-2022-30741): Sensitive information exposure in Find My Mobile

Severity: Moderate
Resolved Version: 7.2.24.12
Reported on: March 23, 2022
Description: Sensitive information exposure vulnerability in SimChangeAlertManger of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permission to get sim card information through device log.
The patch add de-identification process of the data.
Acknowledgement: Zhang Qing 


SVE-2022-0722 (CVE-2022-30742): Sensitive information exposure in Find My Mobile

Severity: Moderate
Resolved Version: 7.2.24.12
Reported on: March 23, 2022
Description: Sensitive information exposure vulnerability in FmmExtraOperation of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permission to get sim card information through device log.
The patch add de-identification process of the data.
Acknowledgement: Zhang Qing 


SVE-2022-0740 (CVE-2022-30743): Improper privilege management vulnerability in Samsung Account

Severity: Moderate
Resolved Version: 13.2.00.6
Reported on: February 25, 2022
Description: Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the data of contact and gallery without permission.
The patch adds proper protection to prevent access to sensitive information.
Acknowledgement: Dawn Security Lab, JDcom 


SVE-2022-0866 (CVE-2022-30745): Improper access control in Quick Share

Severity: Moderate
Resolved Version: 13.1.2.4
Reported on: April 6, 2022
Description: Improper access control vulnerability in Quick Share prior to version 13.1.2.4 allows attacker to access internal files in Quick Share.
The patch remove improper caller check logic.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0955 (CVE-2022-30746): Exposure of Sensitive Information vulnerability in Smart Things

Severity: High
Resolved Version: 1.7.85.12
Reported on: April 18,2022
Description: Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access sensitive information remotely using java script interface API.
The patch adds proper caller host check logic.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0970 (CVE-2022-30747): Pending Intent hijacking in Smart Things

Severity: Moderate
Resolved Version: 1.7.85.25
Reported on: April 19, 2022
Description: Pending Intent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.
The patch addresses the Intent in Smart Things to prevent unprivileged access.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0975 (CVE-2022-30748): Arbitrary activity start in Samsung Members

Severity: Moderate
Resolved Version: 4.2.00.5
Reported on: April 19, 2022
Description: Unprotected dynamic receiver in Samsung Members prior to version 4.2.005 allows attacker to launch arbitrary activity.
The patch removes unused code.
Acknowledgement: Sergey Toshin of Oversecured Inc



PC Updates


SVE-2022-0854 (CVE-2022-30744): DLL hijacking vulnerability in Samsung Kies

Severity: Moderate
Resolved Version: 2.6.4.22043_1
Reported on: April 5, 2022
Description: DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1 allows attacker to execute arbitrary code.
The patch changes to load default DLL in Windows.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University



Android Application Updates


SVE-2021-23918 (CVE-2022-28789): Unprotected activities in Voice Note

Severity: Moderate
Resolved Version: 21.3.51.11
Reported on: November 11, 2021
Description: Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction.
The patch adds proper permission for vulnerable activities.
Acknowledgement: Rahul Kankrale


SVE-2022-0763 (CVE-2022-28790): Improper authentication in Link to Windows Service

Severity: Moderate
Resolved Version: 2.3.04.1
Reported on: March 27, 2022
Description: Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device.
The patch adds proper caller signature check logic.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2022-0817 (CVE-2022-28791): Improper input validation in Galaxy Store

Severity: Moderate
Resolved Version: 4.5.41.8
Reported on: April 1, 2022
Description: Improper input validation vulnerability in Install Agent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path.
The patch adds proper protection to prevent overwrite to existing files.
Acknowledgement: Dawn Security Lab, JDcom



PC Updates


SVE-2022-0539 (CVE-2022-28792): DLL hijacking vulnerability in Gear IconX PC Manager

Severity: Moderate
Resolved Version: 2.1.220405.51
Reported on: March 9, 2022
Description: DLL hijacking vulnerability in Gear IconX PC Manager prior to version 2.1.220405.51 allows attacker to execute arbitrary code.
The patch adds proper absolute path to prevent dll hijacking.
Acknowledgement: Soojin Cho of DNSLab, Korea University



Other Software Updates


SVE-2021-23587 (CVE-2022-28793): Improper state maintenance in Strong Box

Severity: Moderate
Resolved Version: Galaxy S22
Reported on: October 14, 2022
Description: Given the TEE is compromised and controlled by the attacker, improper state maintenance in Strong Box allows attackers to change Android ROT during device boot cycle after compromising TEE.
The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time.
Acknowledgement: Federico Menarini and Martijn Bogaard of Riscure



Android Application Updates


SVE-2021-23930 (CVE-2022-27838): Improper access control in Factory Camera

Severity: High
Resolved Version: 2.1.96
Reported on: November 14, 2021
Description: Improper access control vulnerability in Factory Camera prior to version 2.1.96 allows attacker to access the file with system privilege.
Acknowledgement: Luke Symons


SVE-2021-23993 (CVE-2022-27839): Improper authentication vulnerability in Secret Mode in Samsung Internet

Severity: Moderate
Resolved Version: 16.2.1
Reported on: December 22, 2021
Description: Improper authentication vulnerability in Secret Mode in Samsung Internet prior to version 16.2.1 allows attackers to access bookmark tab without proper credentials.
Acknowledgement: Harsh Tyagi


SVE-2021-24297 (CVE-2022-27841): A vulnerability that view the screen that is previously running in Samsung Pass without authentication

Severity: Moderate
Resolved Version: 3.0.07.5
Reported on: December 17, 2021
Description: Improper exception handling in Samsung Pass prior to version 3.7.07.5 allows physical attacker to view the screen that is previously running without authentication
Acknowledgement: Harsh Tyagi


SVE-2022-0117 (CVE-2022-28542): Possible to access arbitrary content providers as Galaxy Store permission

Severity: High
Resolved Version: 4.5.40.5
Reported on: January 12, 2022
Description: Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission.
Acknowledgement: hluwa


SVE-2022-0269 (CVE-2022-28543): Path traversal vulnerability in Samsung Flow

Severity: Moderate
Resolved Version: 4.8.07.4
Reported on: February 2, 2022
Description: Path traversal vulnerability in Samsung Flow prior to version 4.8.07.4 allows local attackers to read arbitrary files as Samsung Flow permission.
Acknowledgement: 남지효


SVE-2022-0358 (CVE-2022-28544): Path traversal vulnerability in Galaxy store

Severity: Moderate
Resolved Version: 4.5.40.5
Reported on: February 14, 2022
Description: Path traversal vulnerability in unzip method of InstallAgentCommonHelper in Galaxy store prior to version 4.5.40.5 allows attacker to access the file of Galaxy store.
Acknowledgement: Sergey Toshin of Oversecured Inc


SVE-2021-23625 (CVE-2022-28775): Improper access control in Samsung Flow

Severity: Moderate
Resolved Version: 4.8.06.5
Reported on: October 19, 2021
Description: Improper access control vulnerability in Samsung Flow prior to version 4.8.06.5 allows attacker to write the file without Samsung Flow permission.
Acknowledgement: Ken Gannon 


SVE-2021-23627 (CVE-2022-28776): Improper access control vulnerability in Galaxy Store

Severity: High
Resolved Version: 4.5.36.4
Reported on: October 16, 2021
Description: Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user interactions.
Acknowledgement: Ken Gannon


SVE-2021-23786 (CVE-2022-28777): Improper access control in Samsung Members

Severity: Moderate
Resolved Version: 13.6.08.5
Reported on: November 2, 2021
Description: Improper access control vulnerability in Samsung Members prior to version 13.6.08.5 allows local attacker to execute call function without CALL_PHONE permission.
Acknowledgement: Zhongquan Li 


SVE-2021-23853 (CVE-2022-1230): Redirect Navigation Confused Vulnerability

Severity: Moderate
Resolved Version: 4.5.40.5
Reported on: November 5, 2021
Description: Synchronization issue during navigation process with browser and renderer prior to version 4.5.40.5 allows attacker to access unauthorized URLs on Webview.
Acknowledgement: Sam Thomas of Pentest Ltd


PC Updates


SVE-2022-0082 (CVE-2022-27842): DLL hijacking vulnerability in Smart Switch PC

Severity: Moderate
Resolved Version: 4.2.22022_4
Reported on: January 7, 2022
Description: DLL hijacking vulnerability in Smart Switch PC prior to version 4.2.22022_4 allows attacker to execute arbitrary code.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


SVE-2022-0083 (CVE-2022-27843): DLL hijacking vulnerability in Kies

Severity: Moderate
Resolved Version: 2.6.4.22014_2
Reported on: January 7, 2022
Description: DLL hijacking vulnerability in Kies prior to version 2.6.4.22014_2 allows attacker to execute arbitrary code.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


SVE-2022-0115 (CVE-2022-28541): Uncontrolled search path element vulnerability in Samsung Update

Severity: Moderate
Resolved Version: 3.0.77.0
Reported on: January 12, 2022
Description: Uncontrolled search path element vulnerability in Samsung Update prior to version 3.0.77.0 allows attackers to execute arbitrary code as Samsung Update permission.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


SVE-2021-24074 (CVE-2022-27840): Possible to delete arbitrary files as Samsung Recovery permission

Severity: Moderate
Resolved Version: 8.1.43.0
Reported on: December 29, 2021
Description: Improper access control vulnerability in Samsung Recovery prior to version 8.1.43.0 allows local attackers to delete arbitrary files as Samsung Recovery permission.
Acknowledgement: doit_man


SVE-2021-24075 (CVE-2022-28778): Improper access control vulnerability in Samsung Security Supporter

Severity: Moderate
Resolved Version: 1.2.40.0
Reported on: November 30, 2021
Description: Improper access control vulnerability in Samsung Security Supporter prior to version 1.2.40.0 allows attacker to set the arbitrary folder as Secret Folder without Samsung Security Supporter permission
Acknowledgement: doit_man 


SVE-2021-24333 (CVE-2022-28779): Uncontrolled search path element vulnerability in Samsung Android USB Driver windows installer program

Severity: Low
Resolved Version: 1.7.50
Reported on: December 18, 2021
Description: Uncontrolled search path element vulnerability in Samsung Android USB Driver windows installer program prior to version 1.7.50 allows attacker to execute arbitrary code.
Acknowledgement: DoHyun Lee(@l33d0hyun) of DNSLab, Korea University


Other Software Updates


SVE-2021-22886(CVE-2023-21451): A Stack-based overflow vulnerability in SECRIL

Severity: Moderate
Resolved version: Android S(12)
Reported on: August 07, 2021
Description: A Stack-based overflow vulnerability in IpcRxEmbmsSessionList in SECRIL prior to Android S(12) allows attacker to cause memory corruptions.
The patch adds proper boundary check logic to prevent memory corruptions.
Acknowledgement: Emrah Demir



Android Application Updates

SVE-2021-23764 (CVE-2022-25823): Information Exposure vulnerability in Galaxy Watch Plugin

Severity: Moderate
Resolved Version: 2.2.05.220126741
Reported on: November 1, 2021
Description: Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.220126741 allows attackers to access user information in log
Acknowledgement: Andr. Ess


SVE-2021-23693 (CVE-2022-25824): Improper access control vulnerability in Bixby Touch

Severity: High
Resolved Version: 2.2.00.6
Reported on: October 25, 2021
Description: Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
Acknowledgement: Dawuge of Pangu Team


SVE-2021-23600 (CVE-2022-25825): Improper access control vulnerability in Samsung Account

Severity: High
Resolved Version: 13.1.0.1
Reported on: October 16, 2021
Description: Improper access control vulnerability in Samsung Account prior to version 13.1.0.1 allows attackers to access to the authcode for sign-in.
Acknowledgement: Josip Franjkovic


SVE-2022-0441 (CVE-2022-25826, CVE-2022-25827, CVE-2022-25828, CVE-2022-25829, CVE-2022-25830): Information Exposure vulerability in Galaxy Watch Plugin

Severity: Moderate
Resolved Version: Galaxy S3 PlugIn 2.2.03.22012751, Galaxy Watch PlugIn 2.2.05.22012751, Watch Active PlugIn 2.2.07.22012751, Watch Active2 PlugIn 2.2.08.22012751 and Galaxy Watch3 Plugin 2.2.09.22012751
Reported on: January 8, 2022
Description: Information Exposure vulnerability in Galaxy Watch Plugin prior to versions 2.2.03.22012751 in Galaxy S3 PlugIn , 2.2.05.22012751 in Galaxy Watch PlugIn, 2.2.07.22012751 in Watch Active PlugIn , 2.2.08.22012751 Watch Active2 PlugIn and 2.2.09.22012751 in Galaxy Watch3 Plugin allows attacker to access password information of connected WiFiAp in the log.
Acknowledgement: Andr. Ess



Android Application Updates


SVE-2021-23428 (CVE-2022-23433): Improper access control vulnerability in Reminder

Severity: Low
Resolved Version: 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10)
Reported on: October 01, 2021
Description: Improper access control vulnerability in Reminder prior to versions 12.3.01.3000 in Android S(12), 12.2.05.6000 in Android R(11) and 11.6.08.6000 in Andoid Q(10) allows attackers to register reminders or execute exporeted activities remotely.
Acknowledgement: Gabriel Campana


SVE-2021-23614 (CVE-2022-23434): Vulnerability using PendingIntent in Bixby Vision

Severity: Moderate
Resolved Version: 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below
Reported on: October 17, 2021
Description: Vulnerability using PendingIntent in Bixby Vision prior to versions 3.7.60.8 in Android S(12), 3.7.50.6 in Andorid R(11) and below allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: h0rd7


SVE-2021-22979 (CVE-2022-24002): Improper Authorization vulnerability in Link Sharing

Severity: Low
Resolved Version: 12.4.00.3
Reported on: August 16, 2021
Description: Improper Authorization vulnerability in Link Sharing prior to version 12.4.00.3 allows attackers to open protected activity via PreconditionActivity.
Acknowledgement: Dawuge of Pangu Team


SVE-2021-23281 (CVE-2022-24003): Exposure of Sensitive Information vulnerability in Bixby Vision

Severity: Moderate
Resolved Version: 3.7.50.6
Reported on: September 17, 2021
Description: Exposure of Sensitive Information vulnerability in Bixby Vision prior to version 3.7.50.6 allows attackers to access internal data of Bixby Vision via unprotected intent.
Acknowledgement: Sergey Toshin


SVE-2021-23092 (CVE-2022-23998): Improper access control vulnerability in Camera

Severity: High
Resolved Version: 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9)
Reported on: August 30, 2021
Description: Improper access control vulnerability in Camera prior to versions 11.1.02.16 in Android R(11), 10.5.03.77 in Android Q(10) and 9.0.6.68 in Android P(9) allows untrusted applications to take a picture in screenlock status.
Acknowledgement: Rahul Kankrale


SVE-2021-23694 (CVE-2022-24923): Improper access control vulnerability in Search Widget

Severity: High
Resolved Version: 2.3.00.6
Reported on: October 25, 2021
Description: Improper access control vulnerability in Samsung Search Widget prior to versions 2.3.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
Acknowledgement: Dawuge of Pangu Team


SVE-2021-23494 (CVE-2022-24926): Improper input validation vulnerability in SmartTag Plugin

Severity: High
Resolved Version: 1.2.15-6
Reported on: October 07, 2021
Description: Improper input validation vulnerability in SmartTag Plugin prior to version 1.2.15-6 allows privileged attackers to trigger a XSS on a victim's devices.
Acknowledgement: Martin Heyden


SVE-2021-22646 (CVE-2022-24927): Improper privilege management vulnerability in Samsung Video Player

Severity: Moderate
Resolved Version: 7.3.15.30
Reported on: July 30, 2021
Description: Improper privilege management vulnerability in Samsung Video Player prior to version 7.3.15.30 allows attackers to execute video files without permission.
Acknowledgement: Dawuge of Pangu Team



PC Updates


SVE-2021-24089 (CVE-2022-24924): Improper access control vulnerability in LiveWallpaperService

Severity: Low
Resolved Version: 3.0.9.0
Reported on: November 30, 2021
Description: An improper access control in LiveWallpaperService prior to versions 3.0.9.0 allows to create a specific named system directory without a proper permission.
Acknowledgement: HeeChan Kim (@heegong123) of TeamH4C



Other Software Updates


SVE-2021-22370 (CVE-2022-24001): Information disclosure vulnerability in Edge Panel

Severity: Moderate
Resolved Version: Android S(12)
Reported on: June 29, 2021
Description: Information disclosure vulnerability in Edge Panel prior to Android S(12) allows physical attackers to access screenshot in clipboard via Edge Panel.
Acknowledgement: chae


SVE-2021-21467 (CVE-2022-24925): Improper input validation vulnerability in SettingsProvider

Severity: Moderate
Resolved Version: Android S(12)
Reported on: April 14, 2021
Description: Improper input validation vulnerability in SettingsProvider prior to Android S(12) allows privileged attackers to trigger a permanent denial of service attack on a victim's devices.
Acknowledgement: WuHeng Lab of Bytedance



Android Application Updates


SVE-2021-22590 (CVE-2022-22283): Account is not logged out in Samsung health Android App after Remove from inactive device

Severity: Low
Resolved Version: 6.20.1.005
Reported on: July 10, 2021
Description: Improper session management vulnerability in Samsung Health prior to 6.20.1.005 prevents logging out from Samsung Health App.
Acknowledgement: Rohit Kumar


SVE-2021-23292 (CVE-2022-22284): Authentication bypass in Samsung browser secret mode

Severity: Low
Resolved Version: 16.0.2.19
Reported on: October 19, 2021
Description: Improper authentication vulnerability in Samsung Internet prior to 16.0.2.19 allows attackers to bypass secret mode password authentication
Acknowledgement: Harsh Tyagi


SVE-2021-23607 (CVE-2022-22285): Hijack the PendingIntent containing Implicit Intent in the Reminder app to read Contacts

Severity: Moderate
Resolved Version: 12.2.05.0 in Android R(11.0) and 12.3.02.1000 in Android S(12.0)
Reported on: October 17, 2021
Description: A vulnerability using PendingIntent in Reminder prior to version 12.2.05.0 in Android R(11.0) and 12.3.02.1000 in Android S(12.0) allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: h0ard7


SVE-2021-23608 (CVE-2022-22286): Hijack the PendingIntent containing Implicit Intent in the Bixby Routines app to read Contacts

Severity: Moderate
Resolved Version: 3.1.21.8 in Android R(11.0) and 2.6.30.5 in Android Q(10.0)
Reported on: October 17, 2021
Description: A vulnerability using PendingIntent in Bixby Routines prior to version 3.1.21.8 in Android R(11.0) and 2.6.30.5 in Android Q(10.0) allows attackers to execute privileged action by hijacking and modifying the intent.
Acknowledgement: h0ard7


SVE-2021-23749 (CVE-2022-22287): Abitrary file access vulnerability in Samsung Email

Severity: Moderate
Resolved Version: 6.1.60.16
Reported on: October 29, 2021
Description: Arbitrary file access vulnerability in Samsung Email prior to 6.1.60.16 allows attacker to read isolated data in sandbox.
Acknowledgement: Dzmitry Lukyanenka


SVE-2021-23791 (CVE-2022-22288): Remote app installation vulnerability in Galaxy Store

Severity: Critical
Resolved Version: 4.5.36.5
Reported on: November 3, 2021
Description: Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist.
Acknowledgement: Ken Gannon


SVE-2021-23888 (CVE-2022-22289): Sensitive information disclosure in S Assistant

Severity: Moderate
Resolved Version: 7.5
Reported on: November 9, 2021
Description: Improper access control vulnerability in S Assistant prior to version 7.5 allows attacker to remotely get sensitive information.
Acknowledgement: hongquan Li @ ADLab of VenusTech


SVE-2021-23944 (CVE-2022-22290): Incorrect UI in Downloads in Samsung Browser

Severity: Moderate
Resolved Version: 16.0.6.23
Reported on: November 15, 2021
Description: Incorrect UI in Downloads in Samsung Internet prior to 16.0.6.23 allows attackers to perform domain spoofing via a crafted HTML page.
Acknowledgement: Kirtikumar Anandrao Ramchandani