CVE-2023-44125 MEDIUM

CVE-2023-44125: Personalized service - Theft and (over-)write of arbitrary files with system privilege via PendingIntent hijacking

Vendor Lg Electronics
Product LG V60 Thin Q 5G(LMV600VM)
Weakness CWE-285
Published September 27, 2023
Last update September 20, 2024

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

The vulnerability is the use of implicit PendingIntents without the PendingIntent.FLAG_IMMUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Personalized service ("com.lge.abba") app. The attacker's app, if it had access to app notifications, could intercept them and redirect them to its activity, before making it grant access permissions to content providers with the `android:grantUriPermissions="true"` flag.

Key dates

02Disclosure timeline

September 27, 2023 CVE published
September 20, 2024 Record updated