CWE-927
AllowedUse of Implicit Intent for Sensitive Communication
Abstraction: Variant · Status: Incomplete
The Android application uses an implicit intent for transmitting sensitive data to other applications.
34 vulnerabilities reference this CWE, most recent first.
GHSA-PVC4-X6FM-W5WG
Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-11 00:00PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.
{
"affected": [],
"aliases": [
"CVE-2022-36830"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-927"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-05T16:15:00Z",
"severity": "MODERATE"
},
"details": "PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.",
"id": "GHSA-pvc4-x6fm-w5wg",
"modified": "2022-08-11T00:00:34Z",
"published": "2022-08-06T00:00:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36830"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=08"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year==2022\u0026month=08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PW4C-H493-RXM2
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:55The vulnerability is to theft of arbitrary files with system privilege in the Screen recording ("com.lge.gametools.gamerecorder") app in the "com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.
{
"affected": [],
"aliases": [
"CVE-2023-44124"
],
"database_specific": {
"cwe_ids": [
"CWE-668",
"CWE-927"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:35Z",
"severity": "LOW"
},
"details": "The vulnerability is to theft of arbitrary files with system privilege in the Screen recording (\"com.lge.gametools.gamerecorder\") app in the \"com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java\" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the \"onActivityResult()\" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.",
"id": "GHSA-pw4c-h493-rxm2",
"modified": "2024-04-04T07:55:18Z",
"published": "2023-09-27T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44124"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com/bulletins/mobile#updateDetails"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-RVGV-CHJ7-F735
Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30An implicit intent vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read the calling phone number and calling data.
{
"affected": [],
"aliases": [
"CVE-2023-41824"
],
"database_specific": {
"cwe_ids": [
"CWE-927"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T14:15:09Z",
"severity": "LOW"
},
"details": "\nAn implicit intent vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read the calling phone number and calling data.\n\n\n\n\n\n\n\n",
"id": "GHSA-rvgv-chj7-f735",
"modified": "2024-05-03T15:30:53Z",
"published": "2024-05-03T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41824"
},
{
"type": "WEB",
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178865"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WVF4-6X9V-V984
Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30An improper export vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read unauthorized information.
{
"affected": [],
"aliases": [
"CVE-2023-41817"
],
"database_specific": {
"cwe_ids": [
"CWE-927"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T14:15:08Z",
"severity": "LOW"
},
"details": "An improper export vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read unauthorized information.",
"id": "GHSA-wvf4-6x9v-v984",
"modified": "2024-05-03T15:30:52Z",
"published": "2024-05-03T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41817"
},
{
"type": "WEB",
"url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178875"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used.
No CAPEC attack patterns related to this CWE.