Android Applications Updates
SVE-2023-0668(CVE-2023-42539): PendingIntent hijacking vulnerability in Samsung Health
Severity: Moderate
Resolved version: 6.25
Reported on: April 17, 2023
Description: PendingIntent hijacking vulnerability in ChallengeNotificationManager in Samsung Health prior to version 6.25 allows local attackers to access data.
The patch adds proper access control.
Acknowledgement: Oversecured (oversecured.com)
SVE-2023-0928(CVE-2023-42540): Improper access control vulnerability in Samsung Account
Severity: Moderate
Resolved version: 14.5.01.1
Reported on: May 29, 2023
Description: Improper access control vulnerability in Samsung Account prior to version 14.5.01.1 allows attackers to access sensitive information via implicit intent.
The patch adds proper access control to use explicit intent.
Acknowledgement: Oversecured (oversecured.com)
SVE-2023-1287(CVE-2023-42541): Improper authorization in Samsung Push Service
Severity: Moderate
Resolved version: 3.4.10
Reported on: July 5, 2023
Description: Improper authorization in PushClientProvider of Samsung Push Service prior to version 3.4.10 allows attacker to access unique id.
The patch block the access to PushClientProvider.
Acknowledgement: hsia.angsh
SVE-2023-1372(CVE-2023-42542): Improper access control in Samsung Push Service
Severity: Moderate
Resolved version: 3.4.10
Reported on: July 21, 2023
Description: Improper access control vulnerability in Samsung Push Service prior to 3.4.10 allows local attackers to get register ID to identify the device.
The patch adds proper access control check logic.
Acknowledgement: Zhang Qing, Wang Kailong
SVE-2023-1414(CVE-2023-42543): Improper verification of intent by broadcast receiver vulnerability in Bixby Voice
Severity: Moderate
Resolved version: 3.3.35.12
Reported on: July 27, 2023
Description: Improper verification of intent by broadcast receiver vulnerability in Bixby Voice prior to version 3.3.35.12 allows attackers to access arbitrary data with Bixby Voice privilege.
The patch adds proper access control to use LocalBroadcastManager.
Acknowledgement: hackhackdump
SVE-2023-1416(CVE-2023-42544): Improper access control vulnerability in Quick Share
Severity: Moderate
Resolved version: 13.5.52.0
Reported on: July 28, 2023
Description: Improper access control vulnerability in Quick Share prior to 13.5.52.0 allows local attacker to access local files.
The patch adds proper access control.
Acknowledgement: OrangeCat
SVE-2023-1454(CVE-2023-42545): Use of implicit intent for sensitive communication vulnerability in Phone
Severity: Moderate
Resolved version: 12.7.20.12 in Android 11, 13.1.48, 13.5.28 in Android 12, and 14.7.38 in Android 13
Reported on: August 6, 2023
Description: Use of implicit intent for sensitive communication vulnerability in Phone prior to versions 12.7.20.12 in Android 11, 13.1.48, 13.5.28 in Android 12, and 14.7.38 in Android 13 allows attackers to access location data.
The patch adds proper access control to use explicit intent.
Acknowledgement: OrangeCat
SVE-2023-1502(CVE-2023-42551, CVE-2023-42550, CVE-2023-42549, CVE-2023-42548, CVE-2023-42547, CVE-2023-42546): Use of implicit intent for sensitive communication vulnerability in Samsung Account
Severity: Moderate
Resolved version: 14.5.00.7
Reported on: August 12, 2023
Description: Use of implicit intent for sensitive communication vulnerability in Samsung Account prior to version 14.5.00.7 allows attackers to access arbitrary file with Samsung Account privilege.
The patch adds proper access control to use explicit intent.
Acknowledgement: OrangeCat
SVE-2023-1503(CVE-2023-42552): Implicit intent hijacking vulnerability in Firewall application
Severity: Moderate
Resolved version: 12.1.00.24 in Android 11, 13.1.00.16 in Android 12 and 14.1.00.7 in Android 13
Reported on: August 12, 2023
Description: Implicit intent hijacking vulnerability in Firewall application prior to versions 12.1.00.24 in Android 11, 13.1.00.16 in Android 12 and 14.1.00.7 in Android 13 allows 3rd party application to tamper the database of Firewall.
The patch changes the implicit intent to explicit intent to prevent hijacking.
Acknowledgement: OrangeCat
SVE-2023-1545(CVE-2023-42553): Improper authorization verification vulnerability in Samsung Email
Severity: Moderate
Resolved version: 6.1.90.4
Reported on: August 20, 2023
Description: Improper authorization verification vulnerability in Samsung Email prior to version 6.1.90.4 allows attackers to read sandbox data of email.
The patch adds proper authorization verification logic to prevent unauthorized access.
Acknowledgement: OrangeCat
SVE-2023-1557(CVE-2023-42554): Improper Authentication vulnerability in SamsungPass
Severity: Moderate
Resolved version: 4.3.00.17
Reported on: August 22, 2023
Description: Improper Authentication vulnerability in SamsungPass prior to version 4.3.00.17 allows physical attackers to bypass authentication.
The patch adds proper authentication logic.
Acknowledgement: Harsh Tyagi
SVE-2023-1625(CVE-2023-42555): Use of implicit intent for sensitive communication vulnerability in EasySetup
Severity: Moderate
Resolved version: 11.1.13
Reported on: September 6, 2023
Description: Use of implicit intent for sensitive communication vulnerability in EasySetup prior to version 11.1.13 allows attackers to get the bluetooth address of user device.
The patch adds proper access control to use explicit intent.