Skip to content

The vulnerability is to theft of arbitrary files with...

High severity Unreviewed Published Sep 27, 2023 to the GitHub Advisory Database • Updated Apr 4, 2024

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

The vulnerability is to theft of arbitrary files with system privilege in the LockScreenSettings ("com.lge.lockscreensettings") app in the "com/lge/lockscreensettings/dynamicwallpaper/MyCategoryGuideActivity.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The LockScreenSettings app copies the received file to the "/data/shared/dw/mycategory/wallpaper_01.png" path and then changes the file access mode to world-readable and world-writable.

References

Published by the National Vulnerability Database Sep 27, 2023
Published to the GitHub Advisory Database Sep 27, 2023
Last updated Apr 4, 2024

Severity

High

EPSS score

0.047%
(18th percentile)

Weaknesses

CVE ID

CVE-2023-44122

GHSA ID

GHSA-gq65-23cc-h5wp

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.