CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25520
https://notcve.org/view.php?id=CVE-2021-25520
Insecure caller check and input validation vulnerabilities in SearchKeyword deeplink logic prior to Samsung Internet 16.0.2 allows unstrusted applications to execute script codes in Samsung Internet. Una comprobación de llamadas no segura y las vulnerabilidades de comprobación de entradas en SearchKeyword deeplink logic versiones anteriores a Samsung Internet 16.0.2, permiten que aplicaciones que no son confiables ejecuten códigos de script en Samsung Internet • https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 12EXPL: 3CVE-2021-42114 – Scalable Rowhammering In the Frequency Domain to Bypass TRR Mitigations On Modern DDR4/LPDDR4X Devices
https://notcve.org/view.php?id=CVE-2021-42114
Modern DRAM devices (PC-DDR4, LPDDR4X) are affected by a vulnerability in their internal Target Row Refresh (TRR) mitigation against Rowhammer attacks. Novel non-uniform Rowhammer access patterns, consisting of aggressors with different frequencies, phases, and amplitudes allow triggering bit flips on affected memory modules using our Blacksmith fuzzer. The patterns generated by Blacksmith were able to trigger bitflips on all 40 PC-DDR4 DRAM devices in our test pool, which cover the three major DRAM manufacturers: Samsung, SK Hynix, and Micron. This means that, even when chips advertised as Rowhammer-free are used, attackers may still be able to exploit Rowhammer. For example, this enables privilege-escalation attacks against the kernel or binaries such as the sudo binary, and also triggering bit flips in RSA-2048 keys (e.g., SSH keys) to gain cross-tenant virtual-machine access. • https://comsec.ethz.ch/research/dram/blacksmith https://comsec.ethz.ch/wp-content/files/blacksmith_sp22.pdf https://github.com/comsec-group/blacksmith • CWE-20: Improper Input Validation •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25509
https://notcve.org/view.php?id=CVE-2021-25509
A missing input validation in Samsung Flow Windows application prior to Version 4.8.5.0 allows attackers to overwrite abtraty file in the Windows known folders. Una falta de comprobación de entrada en Samsung Flow Windows application versiones anteriores a 4.8.5.0, permite a atacantes sobrescribir el archivo abtraty en las carpetas conocidas de Windows • https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=11 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25508
https://notcve.org/view.php?id=CVE-2021-25508
Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation. Una vulnerabilidad de administración de privilegios inapropiada en la clave de la API usada en SmartThings versiones anteriores a 1.7.73.22 permite a un atacante abusar de la clave de la API sin limitaciones • https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=11 • CWE-269: Improper Privilege Management •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25507
https://notcve.org/view.php?id=CVE-2021-25507
Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authorization. Una vulnerabilidad de autorización inapropiada en Samsung Flow mobile application versiones anteriores a 4.8.03.5, permite que la aplicación Samsung Flow para PC conectada con el dispositivo del usuario acceda a parte de los datos de notificación en la carpeta segura sin autorización • https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=11 • CWE-285: Improper Authorization •