CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23299
https://notcve.org/view.php?id=CVE-2023-23299
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others. • https://developer.garmin.com/connect-iq/core-topics/manifest-and-permissions https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23299.md •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23303
https://notcve.org/view.php?id=CVE-2023-23303
The `Toybox.Ant.GenericChannel.enableEncryption` API method in CIQ API version 3.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. A malicious application could call the API method with specially crafted object and hijack the execution of the device's firmware. • https://developer.garmin.com/connect-iq/api-docs/Toybox/Ant/GenericChannel.html#enableEncryption-instance_function https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23303.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23304
https://notcve.org/view.php?id=CVE-2023-23304
The GarminOS TVM component in CIQ API version 2.1.0 through 4.1.7 allows applications with a specially crafted head section to use the `Toybox.SensorHistory` module without permission. A malicious application could call any functions from the `Toybox.SensorHistory` module without the user's consent and disclose potentially private or sensitive information. • https://developer.garmin.com/connect-iq/api-docs/Toybox/SensorHistory.html https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23304.md •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23302
https://notcve.org/view.php?id=CVE-2023-23302
The `Toybox.GenericChannel.setDeviceConfig` API method in CIQ API version 1.2.0 through 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. A malicious application could call the API method with specially crafted object and hijack the execution of the device's firmware. • https://developer.garmin.com/connect-iq/api-docs/Toybox/Ant/GenericChannel.html#setDeviceConfig-instance_function https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23302.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23305
https://notcve.org/view.php?id=CVE-2023-23305
The GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 is vulnerable to various buffer overflows when loading binary resources. A malicious application embedding specially crafted resources could hijack the execution of the device's firmware. • https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23305.md • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •