Common Weakness Enumeration

CWE-927

Allowed

Use of Implicit Intent for Sensitive Communication

Abstraction: Variant · Status: Incomplete

The Android application uses an implicit intent for transmitting sensitive data to other applications.

34 vulnerabilities reference this CWE, most recent first.

GHSA-PVC4-X6FM-W5WG

Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-11 00:00
VLAI
Details

PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36830"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-927"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-05T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "PendingIntent hijacking vulnerability in cancelAlarmManager in Charm by Samsung prior to version 1.2.3 allows local attackers to access files without permission via implicit intent.",
  "id": "GHSA-pvc4-x6fm-w5wg",
  "modified": "2022-08-11T00:00:34Z",
  "published": "2022-08-06T00:00:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36830"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022\u0026month=08"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year==2022\u0026month=08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW4C-H493-RXM2

Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:55
VLAI
Details

The vulnerability is to theft of arbitrary files with system privilege in the Screen recording ("com.lge.gametools.gamerecorder") app in the "com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-44124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668",
      "CWE-927"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-27T15:19:35Z",
    "severity": "LOW"
  },
  "details": "The vulnerability is to theft of arbitrary files with system privilege in the Screen recording (\"com.lge.gametools.gamerecorder\") app in the \"com/lge/gametools/gamerecorder/settings/ProfilePreferenceFragment.java\" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the \"onActivityResult()\" method. The Screen recording app saves contents of arbitrary URIs to SD card which is a world-readable storage.",
  "id": "GHSA-pw4c-h493-rxm2",
  "modified": "2024-04-04T07:55:18Z",
  "published": "2023-09-27T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44124"
    },
    {
      "type": "WEB",
      "url": "https://lgsecurity.lge.com/bulletins/mobile#updateDetails"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVGV-CHJ7-F735

Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30
VLAI
Details

An implicit intent vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read the calling phone number and calling data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-927"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T14:15:09Z",
    "severity": "LOW"
  },
  "details": "\nAn implicit intent vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read the calling phone number and calling data.\n\n\n\n\n\n\n\n",
  "id": "GHSA-rvgv-chj7-f735",
  "modified": "2024-05-03T15:30:53Z",
  "published": "2024-05-03T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41824"
    },
    {
      "type": "WEB",
      "url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178865"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVF4-6X9V-V984

Vulnerability from github – Published: 2024-05-03 15:30 – Updated: 2024-05-03 15:30
VLAI
Details

An improper export vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read unauthorized information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-927"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T14:15:08Z",
    "severity": "LOW"
  },
  "details": "An improper export vulnerability was reported in the Motorola Phone Calls application that could allow a local attacker to read unauthorized information.",
  "id": "GHSA-wvf4-6x9v-v984",
  "modified": "2024-05-03T15:30:52Z",
  "published": "2024-05-03T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41817"
    },
    {
      "type": "WEB",
      "url": "https://en-us.support.motorola.com/app/answers/detail/a_id/178875"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

If the application only requires communication with its own components, then the destination is always known, and an explicit intent could be used.

No CAPEC attack patterns related to this CWE.