CVE-2023-44121 MEDIUM

CVE-2023-44121: LG ThinQ Service - Intent redirection with system privilege/LaunchAnyWhere

Vendor Lg Electronics
Product LG V60 Thin Q 5G(LMV600VM)
Weakness CWE-926
Published September 27, 2023
Last update September 23, 2024

CVSS base score

5.0/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

The vulnerability is an intent redirection in LG ThinQ Service ("com.lge.lms2") in the "com/lge/lms/things/ui/notification/NotificationManager.java" file. This vulnerability could be exploited by a third-party app installed on an LG device by sending a broadcast with the action "com.lge.lms.things.notification.ACTION". Additionally, this vulnerability is very dangerous because LG ThinQ Service is a system app (having android:sharedUserId="android.uid.system" setting). Intent redirection in this app leads to accessing arbitrary not exported activities of absolutely all apps.

Key dates

02Disclosure timeline

September 27, 2023 CVE published
September 23, 2024 Record updated

Related vulnerabilities

04Related CVE