close

Samsung Mobile Security
Cookie Policy

Updated on Jan 17, 2022

This Cookie Policy describes the different types of cookies that may be used in connection with Samsung Mobile Security website which is owned and controlled by Samsung Electronics Co., Ltd (“Samsung Electronics”). This Cookie Policy also describes how you can manage cookies.

It’s important that you check back often for updates to the Policy as we may change it from time to time to reflect changes to our use of cookies. Please check the date at the top of this page to see when this Policy was last revised. Any changes to this Policy will become effective when we make the revised Policy available on our website.

Samsung Electronics has offices across Europe, so we can ensure that your request or query will be handled by the data protection team based in your region. If you have any questions, the easiest way to contact us is through our Privacy Support Page at https://www.samsung.com/request-desk.

You can also contact us at:

European Data Protection Officer
Samsung Electronics (UK) Limited
Samsung House, 2000 Hillswood Drive, Chertsey, Surrey KT16 0RS

Cookies

Cookies are small files that store information on your computer, TV, mobile phone, or other device. They enable the entity that put the cookie on your device to recognize you across different websites, services, devices, and/or browsing sessions.

We use the following types of cookies on this website:

Essential Cookies: enable you to receive the services you request via our website. Without these cookies, services that you have asked for cannot be provided. For example, these enable to identify users and provide proper service for each user. These cookies are automatically enabled and cannot be turned off because they are essential to enable you to browse our website. Without these cookies this Samsung Mobile Security website could not be provided.

Cookie Domain Purpose
JSESSIONID security.samsungmobile.com to keep login session
lastActivityTime security.samsungmobile.com to save the user's last activity time to automatically logout after 30 minutes of inactivity

Managing Cookies and Other Technologies

You can also update your browser settings at any time, if you want to remove or block cookies from your device (consult your browser's "help" menu to learn how to remove or block cookies). Samsung Electronics is not responsible for your browser settings. You can find good and simple instructions on how to manage cookies on the different types of web browsers at http://www.allaboutcookies.org.

Go straight to the menu Go straight to the text

Security Updates

We truly appreciate the following security researchers for helping us improve the security of our mobile applications, wearable devices and personal computers. We would like to thank them for disclosing the vulnerability reports responsibly and working with us throughout the process.

Please note that while we are doing our best to release the security patches as soon as possible to all applicable devices and services, release time of security patches may vary depending on the device version and models or service versions.


Android Applications Updates

SVE-2024-0730(CVE-2024-49416): Use of implicit intent for sensitive communication in SmartThings

Severity: Moderate
Resolved version: 1.8.21
Reported on: March 23, 2024
Description: Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information.
The patch adds proper validation.
Acknowledgement: khilli


SVE-2024-0976(CVE-2024-49417): Use of implicit intent for sensitive communication in Smart Touch Call.

Severity: Moderate
Resolved version: 1.0.0.8
Reported on: April 20, 2024
Description: Use of implicit intent for sensitive communication in Smart Touch Call prior to 1.0.0.8 allows local attackers to launch privileged activities. User interaction is required for triggering this vulnerability.
The patch fixes implicit intent to explicit intent.
Acknowledgement: khilli


SVE-2024-2038(CVE-2024-49418): Insufficient verification of url authenticity in GamingHub

Severity: Moderate
Resolved version: 6.1.03.4 in Korea, 7.1.02.4 in Global
Reported on: October 23, 2024
Description: Insufficient verification of url authenticity in GamingHub prior to version 6.1.03.4 in Korea, 7.1.02.4 in Global allows remote attackers to enable JavaScript in its webview.
The patch adds proper verification.
Acknowledgement: Ken Gannon of NCC Group working with Zero Day Initiative


SVE-2024-2039(CVE-2024-49419): Insufficient verification of url authenticity in GamingHub

Severity: Moderate
Resolved version: 6.1.03.4 in Korea, 7.1.02.4 in Global
Reported on: October 23, 2024
Description: Insufficient verification of url authenticity in GamingHub prior to version 6.1.03.4 in Korea, 7.1.02.4 in Global allows remote attackers to load an arbitrary URL in its webview.
The patch adds proper verification.
Acknowledgement: Ken Gannon of NCC Group working with Zero Day Initiative


SVE-2024-2040(CVE-2024-49420): Improper handling of responses in GamingHub

Severity: Moderate
Resolved version: 6.1.04.6 in Korea, 7.1.03.7 in Global
Reported on: October 23, 2024
Description: Improper handling of responses in GamingHub prior to version 6.1.04.6 in Korea, 7.1.03.7 in Global allows remote attackers to launch arbitrary activity.
The patch adds proper verification.
Acknowledgement: Ken Gannon of NCC Group working with Zero Day Initiative


SVE-2024-2042(CVE-2024-49421): Path traversal in Quick Share Agent

Severity: Moderate
Resolved version: 3.5.14.47 in Android 12, 3.5.19.41 in Android 13, and 3.5.19.42 in Android 14
Reported on: October 23, 2024
Description: Path traversal in Quick Share Agent prior to version 3.5.14.47 in Android 12, 3.5.19.41 in Android 13, and 3.5.19.42 in Android 14 allows adjacent attackers to write file in arbitrary location.
The patch adds mitigation logic to prevent path traversal.
Acknowledgement: Ken Gannon of NCC Group working with Zero Day Initiative


Android Applications Updates

SVE-2024-1041(CVE-2024-49403): Improper access control in Samsung Voice Recorder

Severity: Moderate
Resolved version: 21.5.40.37
Reported on: May 2, 2024
Description: Improper access control in Samsung Voice Recorder prior to version 21.5.40.37 allows physical attackers to access recording files on the lock screen.
The patch adds proper access control.
Acknowledgement: Elias Schröder


SVE-2024-1236(CVE-2024-49404): Improper Access Control in Samsung Video Player

Severity: Moderate
Resolved version: 7.3.29.1 in Android 12, 7.3.36.1 in Android 13 and 7.3.41.230 in Android 14
Reported on: June 2, 2024
Description: Improper Access Control in Samsung Video Player prior to versions 7.3.29.1 in Android 12, 7.3.36.1 in Android 13, and 7.3.41.230 in Android 14 allows physical attackers to access video file of other users.
The patch adds proper validation.
Acknowledgement: Elias Schröder


SVE-2024-1418(CVE-2024-49405): Improper authentication in Private Info in Samsung Pass

Severity: Moderate
Resolved version: 4.4.04.7
Reported on: July 10, 2024
Description: Improper authentication in Private Info in Samsung Pass in prior to version 4.4.04.7 allows physical attackers to access sensitive information in a specific scenario.
The patch adds proper authentication.
Acknowledgement: Harsh Tyagi


SVE-2024-1517(CVE-2024-49406): Improper validation of integrity check value in Blockchain Keystore

Severity: High
Resolved version: 1.3.16
Reported on: July 28, 2024
Description: Improper validation of integrity check value in Blockchain Keystore prior to version 1.3.16 allows local attackers to modify transaction. Root privilege is required for triggering this vulnerability.
The patch adds proper validation logic.
Acknowledgement: CertiK Skyfall


SVE-2024-1550(CVE-2024-49407): Improper access control in Samsung Flow

Severity: High
Resolved version: 4.9.15.7
Reported on: August 4, 2024
Description: Improper access control in Samsung Flow prior to version 4.9.15.7 allows physical attackers to access data across multiple user profiles.
The patch adds proper access control.
Acknowledgement: Sam of Honor Cyber Security Lab


Android Applications Updates

SVE-2024-0761(CVE-2024-34670): Use of implicit intent for sensitive communication in Sound Assistant

Severity: Moderate
Resolved version: 6.1.0.9
Reported on: March 27, 2024
Description: Use of implicit intent for sensitive communication in Sound Assistant prior to version 6.1.0.9 allows local attackers to get sensitive information.
The patch removes unnecessary implementation.
Acknowledgement: khilli


SVE-2024-0762(CVE-2024-34671): Use of implicit intent for sensitive communication in translation in Samsung Internet

Severity: Moderate
Resolved version: 26.0.3.1
Reported on: March 27, 2024
Description: Use of implicit intent for sensitive communication in translation in Samsung Internet prior to version 26.0.3.1 allows local attackers to get sensitive information. User interaction is required for triggering this vulnerability.
The patch fixes implicit intent to explicit intent.
Acknowledgement: khilli


SVE-2024-1221(CVE-2024-34672): Improper input validation in SamsungVideoPlayer

Severity: High
Resolved version: 7.3.29.1 in Android 12, 7.3.36.1 in Android 13 and 7.3.41.230 in Android 14
Reported on: May 30, 2024
Description: Improper input validation in SamsungVideoPlayer prior to versions 7.3.29.1 in Android 12, 7.3.36.1 in Android 13, and 7.3.41.230 in Android 14 allows local attackers to access video file of other users.
The patch adds proper check logic.
Acknowledgement: ycmint working at ADLab of VenusTech


Android Applications Updates

SVE-2024-0738(CVE-2024-34656): Path traversal in Samsung Notes

Severity: High
Resolved version: 4.4.21.62
Reported on: March 25, 2024
Description: Path traversal in Samsung Notes prior to version 4.4.21.62 allows local attackers to execute arbitrary code.
The patch removes unused code.


SVE-2024-0786(CVE-2024-34659, CVE-2024-34658, CVE-2024-34657): Stack-based out-of-bounds write in Samsung Notes

Severity: Critical
Resolved version: 4.4.21.62
Reported on: April 1, 2024
Description: Stack-based out-of-bounds write in Samsung Notes prior to version 4.4.21.62 allows remote attackers to execute arbitrary code.
The patch adds proper input validation.


SVE-2024-0938(CVE-2024-34660): Heap-based out-of-bounds write in Samsung Notes

Severity: High
Resolved version: 4.4.21.62
Reported on: April 16, 2024
Description: Heap-based out-of-bounds write in Samsung Notes prior to version 4.4.21.62 allows local attackers to execute arbitrary code.
The patch adds proper input validation.


SVE-2024-1262(CVE-2024-34661): Improper handling of insufficient permissions in Samsung Assistant

Severity: Moderate
Resolved version: 9.1.00.7
Reported on: June 5, 2024
Description: Improper handling of insufficient permissions in Samsung Assistant prior to version 9.1.00.7 allows remote attackers to access location data. User interaction is required for triggering this vulnerability.
The patch adds proper permission handling.
Acknowledgement: 金峻锋


Other Software Updates

SVE-2024-0537(CVE-2024-49408): Out-of-bounds write in usb driver

Severity: Moderate
Resolved version: Firmware update Sep-2024 Release on Galaxy S24
Reported on: March 6, 2024
Description: Out-of-bounds write in usb driver prior to Firmware update Sep-2024 Release on Galaxy S24 allows local attackers to write out-of-bounds memory. System privilege is required for triggering this vulnerability.
The patch adds proper input validation.
Acknowledgement: Chao Ma of Baidu AIoT Security Team


SVE-2024-0555(CVE-2024-49409): Out-of-bounds write in Battery Full Capacity node

Severity: Moderate
Resolved version: Firmware update Sep-2024 Release on Galaxy S24
Reported on: March 8, 2024
Description: Out-of-bounds write in Battery Full Capacity node prior to Firmware update Sep-2024 Release on Galaxy S24 allows local attackers to write out-of-bounds memory. System privilege is required for triggering this vulnerability.
The patch adds proper input validation.
Acknowledgement: Chao Ma of Baidu AIoT Security Team


Android Applications Updates

SVE-2023-1705(CVE-2024-34621): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying binary with data in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1706(CVE-2024-34622): Out-of-bounds write in Samsung Notes

Severity: High
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds write in appending paragraph in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially execute arbitrary code with Samsung Notes privilege.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1707(CVE-2024-34623): Out-of-bounds write in Samsung Notes

Severity: High
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds write in applying connected information in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially execute arbitrary code with Samsung Notes privilege.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1709(CVE-2024-34624): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying paragraphs in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1712(CVE-2024-34625): Out-of-bounds read validation in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying connection point in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1713(CVE-2024-34626): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying own binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1715(CVE-2024-34627): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in parsing implemention in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1716(CVE-2024-34628): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying binary with path in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1717(CVE-2024-34629): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying binary with text common object in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1719(CVE-2024-34630): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying own binary with textbox in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1721(CVE-2024-34631): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 23, 2023
Description: Out-of-bounds read in applying new binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
The patch adds proper input validation.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1726(CVE-2024-34632): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 25, 2023
Description: Out-of-bounds read in uuid parsing in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.
The patch adds proper boundary check.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1727(CVE-2024-34633): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 25, 2023
Description: Out-of-bounds read in parsing object header in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.
The patch adds proper boundary check.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1734(CVE-2024-34634): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 26, 2023
Description: Out-of-bounds read in parsing connected object list in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.
The patch adds proper boundary check.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2023-1735(CVE-2024-34635): Out-of-bounds read in Samsung Notes

Severity: Moderate
Resolved version: 4.4.21.62
Reported on: September 26, 2023
Description: Out-of-bounds read in parsing textbox object in Samsung Notes prior to version 4.4.21.62 allows local attacker to access unauthorized memory.
The patch adds proper boundary check.
Acknowledgement: Ye Zhang (@VAR10CK) of Baidu Security


SVE-2024-0979(CVE-2024-34636): Use of implicit intent for sensitive communication in Samsung Email

Severity: Moderate
Resolved version: 6.1.94.2
Reported on: April 20, 2024
Description: Use of implicit intent for sensitive communication in Samsung Email prior to version 6.1.94.2 allows local attackers to get sensitive information.
The patch adds proper configuration.
Acknowledgement: khilli


PC Updates

Intel patches are included in this Security Maintenance Release with the following CVE item:

Moderate
CVE-2024-23198, CVE-2024-24984, CVE-2024-25563, CVE-2024-28049

※ Please see Intel Product Security Center Advisories for detailed information on Intel patches.


Android Applications Updates

SVE-2023-2192(CVE-2024-34596): Improper authentication in SmartThings

Severity: Moderate
Resolved version: 1.8.17
Reported on: December 1, 2023
Description: Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner.
The patch adds proper check logic.
Acknowledgement: rice12-tracker


SVE-2024-0458(CVE-2024-34597): Improper input validation in Samsung Health

Severity: Moderate
Resolved version: 6.27.0.113
Reported on: February 23, 2024
Description: Improper input validation in Samsung Health prior to version 6.27.0.113 allows local attackers to write arbitrary document files to the sandbox of Samsung Health. User interaction is required for triggering this vulnerability.
The patch adds proper caller verification logic.
Acknowledgement: hackhackdump


SVE-2024-0973(CVE-2024-34598): Improper export of component in GoodLock

Severity: High
Resolved version: 2.2.04.95
Reported on: April 20, 2024
Description: Improper export of component in GoodLock prior to version 2.2.04.95 allows local attackers to install arbitrary applications from Galaxy Store.
The patch adds proper access control.
Acknowledgement: khilli


SVE-2024-0974(CVE-2024-34599): Improper input validation in Tips

Severity: Moderate
Resolved version: 6.2.9.4
Reported on: April 20, 2024
Description: Improper input validation in Tips prior to version 6.2.9.4 in Android 14 allows local attacker to send broadcast with Tips' privilege.
The patch removes unused code.
Acknowledgement: khilli


SVE-2024-0985(CVE-2024-34600): Improper verification of intent by broadcast receiver vulnerability in Samsung Flow

Severity: Moderate
Resolved version: 4.9.13.0
Reported on: April 20, 2024
Description: Improper verification of intent by broadcast receiver vulnerability in Samsung Flow prior to version 4.9.13.0 allows local attackers to copy image files to external storage.
The patch adds proper caller verification logic.
Acknowledgement: Dawuge


SVE-2024-1172(CVE-2024-34601): Improper verification of intent by broadcast receiver vulnerability in GalaxyStore

Severity: Moderate
Resolved version: 4.5.81.0
Reported on: May 21, 2024
Description: Improper verification of intent by broadcast receiver vulnerability in GalaxyStore prior to version 4.5.81.0 allows local attackers to launch unexported activities of GalaxyStore.
The patch adds proper caller verification logic.
Acknowledgement: hackhackdump


PC Updates

SVE-2023-1895(CVE-2024-20886): Arbitrary directory creation in Samsung Live Wallpaper PC

Severity: Moderate
Resolved version: 3.3.8.0
Reported on: October 15, 2023
Description: Arbitrary directory creation in Samsung Live Wallpaper PC prior to version 3.3.8.0 allows attacker to create arbitrary directory.
The patch adds proper logic to block arbitrary directory creation.
Acknowledgement: HeeChan Kim (@heegong123) of TeamH4C


SVE-2023-2370(CVE-2024-20887): Arbitrary directory creation in GalaxyBudsManager PC

Severity: Moderate
Resolved version: 2.1.240315.51
Reported on: December 22, 2023
Description: Arbitrary directory creation in GalaxyBudsManager PC prior to version 2.1.240315.51 allows attacker to create arbitrary directory.
The patch adds proper logic to block arbitrary directory creation.
Acknowledgement: HeeChan Kim (@heegong123) of TeamH4C


Android Applications Updates

SVE-2023-1593(CVE-2024-20867): Improper privilege management vulnerability in Samsung Email

Severity: Moderate
Resolved version: 6.1.91.14
Reported on: August 31, 2023
Description: Improper privilege management vulnerability in Samsung Email prior to version 6.1.91.14 allows local attackers to access sensitive information.
The patch modifies the user account authorization logic.
Acknowledgement: Ostorlab


SVE-2023-1837(CVE-2024-20868): Improper input validation vulnerability in Samsung Notes

Severity: Moderate
Resolved version: 4.4.15
Reported on: October 12, 2023
Description: Improper input validation in Samsung Notes prior to version 4.4.15 allows local attackers to delete files with Samsung Notes privilege under certain conditions.
The patch adds proper input validation logic.
Acknowledgement: Dawuge


SVE-2024-0043(CVE-2024-20869): Improper privilege management vulnerability in Samsung Internet

Severity: Moderate
Resolved version: 25.0.0.41
Reported on: January 5, 2024
Description: Improper privilege management vulnerability in Samsung Internet prior to version 25.0.0.41 allows local attackers to bypass protection for cookies.
The patch remove improper handling origin logic.
Acknowledgement: Narendra Bhati - Manager Of Cyber Security at Suma Soft Pvt Ltd India -twitter.com/imnarendrabhati


SVE-2024-0403(CVE-2024-20870): Improper verification of intent by broadcast receiver vulnerability in Galaxy Store

Severity: Moderate
Resolved version: 4.5.71.8
Reported on: February 18, 2024
Description: Improper verification of intent by broadcast receiver vulnerability in Galaxy Store prior to version 4.5.71.8 allows local attackers to write arbitrary files with the privilege of Galaxy Store.
The patch adds proper caller verification logic to prevent improper access.
Acknowledgement: Dawuge


Other Software Updates

Samsung Semiconductor patch is also included in select Exynos chipsets with the following CVE item:

Moderate
CVE-2024-20821

※ Please see Samsung Semiconductor Product Security Update for detailed information on Samsung Semiconductor patches.


SVE-2023-0881(CVE-2024-20871): Improper authorization vulnerability in Samsung Keyboard

Severity: Moderate
Resolved version: One UI 5.1.1
Reported on: May 19, 2023
Description: Improper authorization vulnerability in Samsung Keyboard prior to version One UI 5.1.1 allows physical attackers to partially bypass the factory reset protection.
The patch block the usage of context menu.
Acknowledgement: SeungHyun Cho @netkingj


SVE-2023-0968(CVE-2024-20872): Improper handling of insufficient privileges vulnerability in TalkbackSE

Severity: Moderate
Resolved version: Android 14
Reported on: June 3, 2023
Description: Improper handling of insufficient privileges vulnerability in TalkbackSE prior to version Android 14 allows local attackers to modify setting value of TalkbackSE.
The patch adds proper permission to prevent unauthorized access.


PC Updates

Intel patches are included in this Security Maintenance Release with the following CVE item:

High
CVE-2023-38654

Moderate
CVE-2023-38417, CVE-2023-40536, CVE-2023-45845, CVE-2023-47210, CVE-2023-47859

※ Please see Intel Product Security Center Advisories for detailed information on Intel patches.


Android Applications Updates

SVE-2023-2086(CVE-2024-20850): Use of Implicit Intent for Sensitive Communication in Samsung Pay

Severity: Moderate
Resolved version: 5.4.99
Reported on: November 17, 2023
Description: Use of Implicit Intent for Sensitive Communication in Samsung Pay prior to version 5.4.99 allows local attackers to access information of Samsung Pay.
The patch adds a proper access control.
Acknowledgement: Illia Khorolskyi


SVE-2023-2372(CVE-2024-20851): Improper access control vulnerability in Samsung Data Store

Severity: Moderate
Resolved version: 5.3.00.4
Reported on: December 23, 2023
Description: Improper access control vulnerability in Samsung Data Store prior to version 5.3.00.4 allows local attackers to launch arbitrary activity with Samsung Data Store privilege.
The patch removes unused code.
Acknowledgement: hackhackdump


SVE-2024-0210(CVE-2024-20852): Improper verification of intent by broadcast receiver vulnerability in SmartThings

Severity: Moderate
Resolved version: 1.8.13.22
Reported on: January 24, 2024
Description: Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration.
The patch adds proper access control.
Acknowledgement: balance


SVE-2024-0405(CVE-2024-20853): Improper verification of intent by broadcast receiver vulnerability in ThemeStore

Severity: Moderate
Resolved version: 5.3.05.2
Reported on: February 19, 2024
Description: Improper verification of intent by broadcast receiver vulnerability in ThemeStore prior to 5.3.05.2 allows local attackers to write arbitrary files to sandbox of ThemeStore.
The patch adds proper caller verification logic to prevent improper access.
Acknowledgement: Dawuge


Other Software Updates

SVE-2023-2191(CVE-2024-20854): Improper handling of insufficient privileges vulnerability in Samsung Camera

Severity: Moderate
Resolved version: 12.1.0.31 in Android 12, 13.1.02.07 in Android 13, and 14.0.01.06 in Android 14
Reported on: November 30, 2023
Description: Improper handling of insufficient privileges vulnerability in Samsung Camera prior to versions 12.1.0.31 in Android 12, 13.1.02.07 in Android 13, and 14.0.01.06 in Android 14 allows local attackers to access image data.
The patch adds proper permission to prevent unauthorized access.
Acknowledgement: Dawuge


Android Applications Updates

SVE-2023-0472(CVE-2024-20829): Missing proper interaction for opening deeplink in Samsung Internet

Severity: High
Resolved version: v24.0.0.0
Reported on: March 23, 2023
Description: Missing proper interaction for opening deeplink in Samsung Internet prior to version v24.0.0.0 allows remote attackers to open an application without proper interaction.
The patch adds a proper user interaction.
Acknowledgement: Sazzad Mahmud Tomal


SVE-2023-0978(CVE-2024-20837): Improper handling of granting permission in Samsung Internet

Severity: Moderate
Resolved version: v24.0.0.41
Reported on: June 5, 2023
Description: Improper handling of granting permission for Trusted Web Activities in Samsung Internet prior to version 24.0.0.41 allows local attackers to grant permission to their own TWA WebApps without user interaction.
The patch add proper logic to prevent user interaction bypass
Acknowledgement: Zak Brighton Knight


SVE-2023-2070(CVE-2024-20838): Improper validation vulnerability in Samsung Internet

Severity: High
Resolved version: 24.0.3.2
Reported on: November 15, 2023
Description: Improper validation vulnerability in Samsung Internet prior to version 24.0.3.2 allows local attackers to execute arbitrary code.
The patch adds proper validation to prevent unauthorized access.
Acknowledgement: blunt


SVE-2023-2249(CVE-2024-20839): Improper access control in Samsung Voice Recorder

Severity: Moderate
Resolved version: 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14
Reported on: December 9, 2023
Description: Improper access control in Samsung Voice Recorder prior to versions 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14 allows physical attackers to access recording files on the lock screen.
The patch adds proper access control in Samsung Voice Recorder.
Acknowledgement: Elias Schröder


SVE-2023-2250(CVE-2024-20840): Improper Access Control in Samsung Voice Recorder

Severity: Moderate
Resolved version: 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14
Reported on: December 9, 2023
Description: Improper access control in Samsung Voice Recorder prior to versions 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14 allows physical attackers using hardware keyboard to use VoiceRecorder on the lock screen.
The patch adds proper access control in Samsung Voice Recorder.
Acknowledgement: Elias Schröder


SVE-2023-2339(CVE-2024-20841): Improper Handling of Insufficient Privileges in Samsung Account

Severity: Moderate
Resolved version: 14.8.00.3
Reported on: December 20, 2023
Description: Improper Handling of Insufficient Privileges in Samsung Account prior to version 14.8.00.3 allows local attackers to access data.
The patch adds proper permission to prevent unauthorized access.
Acknowledgement: Dawuge


Android Applications Updates

SVE-2023-0774(CVE-2024-20825, CVE-2024-20824, CVE-2024-20823, CVE-2024-20822): Implicit intent hijacking vulnerability in Galaxy Store

Severity: Moderate
Resolved version: 4.5.63.6
Reported on: May 4, 2023
Description: Implicit intent hijacking vulnerability in Galaxy Store prior to version 4.5.63.6 allows local attackers to access sensitive information via implicit intent.
The patch changes implicit intent to explicit intent.
Acknowledgement: Oversecured (oversecured.com)


SVE-2023-1112(CVE-2024-20826): Implicit intent hijacking vulnerability in UPHelper library

Severity: Moderate
Resolved version: 4.0.0
Reported on: June 20, 2023
Description: Implicit intent hijacking vulnerability in UPHelper library prior to version 4.0.0 allows local attackers to access sensitive information via implicit intent.
The patch changes implicit intent to explicit intent.
Acknowledgement: Oversecured (oversecured.com)


SVE-2023-1781(CVE-2024-20827): Improper access control vulnerability in Samsung Gallery

Severity: Moderate
Resolved version: 14.5.04.4
Reported on: October 10, 2023
Description: Improper access control vulnerability in Samsung Gallery prior to version 14.5.04.4 allows physical attackers to access the picture using physical keyboard on the lockscreen.
The patch prevents menu access by physical keyboard in locked device
Acknowledgement: Elias Schröder


SVE-2023-2275(CVE-2024-20828): Improper authorization verification vulnerability in Samsung Internet

Severity: Moderate
Resolved version: 24.0
Reported on: December 12, 2023
Description: Improper authorization verification vulnerability in Samsung Internet prior to version 24.0 allows physical attackers to access files downloaded in SecretMode without proper authentication.
The patch adds proper authorization verification logic to prevent unauthorized access.
Acknowledgement: KRISHAN KUMAR


Android Applications Updates

SVE-2023-0956(CVE-2024-20807): Implicit intent hijacking vulnerability in Samsung Email

Severity: Moderate
Resolved version: 6.1.90.16
Reported on: June 2, 2023
Description: Implicit intent hijacking vulnerability in Samsung Email prior to version 6.1.90.16 allows attacker to get sensitive information.
The patch change the implicit intent to explicit intent.
Acknowledgement: Oversecured (oversecured.com)


SVE-2023-1990(CVE-2024-20808): Improper access control vulnerability in Nearby device scanning

Severity: Moderate
Resolved version: 11.1.14.7
Reported on: October 31, 2023
Description: Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data.
The patch adds proper access control.
Acknowledgement: Dawuge


SVE-2023-1991(CVE-2024-20809): Improper access control vulnerability in Nearby device scanning

Severity: Moderate
Resolved version: 11.1.14.7
Reported on: October 31, 2023
Description: Improper access control vulnerability in Nearby device scanning prior version 11.1.14.7 allows local attacker to access data.
The patch adds proper access control.
Acknowledgement: Dawuge