
CVE-2023-21293
https://notcve.org/view.php?id=CVE-2023-21293
30 Oct 2023 — In PackageManagerNative, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. En PackageManagerNative, existe una forma posible de determinar si una aplicación está instalada, sin permisos de consulta, debido a la divulgación de información del canal lateral. Esto podría conducir a... • https://source.android.com/docs/security/bulletin/android-14 • CWE-203: Observable Discrepancy •

CVE-2022-20264
https://notcve.org/view.php?id=CVE-2022-20264
30 Oct 2023 — In Usage Stats Service, there is a possible way to determine whether an app is installed, without query permissions due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. En el Servicio de Estadísticas de Uso, existe una manera posible de determinar si una aplicación está instalada, sin permisos de consulta debido a la divulgación de información del canal lateral. Esto podría... • https://source.android.com/docs/security/bulletin/android-14 • CWE-203: Observable Discrepancy •

CVE-2021-39810
https://notcve.org/view.php?id=CVE-2021-39810
30 Oct 2023 — In NFC, there is a possible way to setup a default contactless payment app without user consent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. En NFC, existe una forma posible de configurar una aplicación de pago sin contacto predeterminada sin el consentimiento del usuario debido a que falta una verificación de permiso. Esto podría conducir a una escalada local de privilegio... • https://source.android.com/docs/security/bulletin/android-14 • CWE-862: Missing Authorization •

CVE-2023-44128 – LGInstallService - Deletion of arbitrary files with system privilege
https://notcve.org/view.php?id=CVE-2023-44128
27 Sep 2023 — he vulnerability is to delete arbitrary files in LGInstallService ("com.lge.lginstallservies") app. The app contains the exported "com.lge.lginstallservies.InstallService" service that exposes an AIDL interface. All its "installPackage*" methods are finally calling the "installPackageVerify()" method that performs signature validation after the delete file method. An attacker can control conditions so this security check is never performed and an attacker-controlled file is deleted. La vulnerabilidad consis... • https://lgsecurity.lge.com/bulletins/mobile#updateDetails • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •

CVE-2023-44127 – Call management - Implicit activity intents disclose contact details and phone numbers
https://notcve.org/view.php?id=CVE-2023-44127
27 Sep 2023 — he vulnerability is that the Call management ("com.android.server.telecom") app patched by LG launches implicit intents that disclose sensitive data to all third-party apps installed on the same device. Those intents include data such as contact details and phone numbers. La vulnerabilidad es que la aplicación de administración de Llamadas ("com.android.server.telecom") parcheada por LG lanza intenciones implícitas que revelan datos sensibles a todas las aplicaciones de terceros instaladas en el mismo dispo... • https://lgsecurity.lge.com/bulletins/mobile#updateDetails • CWE-927: Use of Implicit Intent for Sensitive Communication •

CVE-2023-44126 – Call management - Implicit intents disclose telephony data such as phone numbers, call states, contacts
https://notcve.org/view.php?id=CVE-2023-44126
27 Sep 2023 — The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned implicit broadcasts that disclose sensitive data to all third-party apps installed on the same device. Those intents include data such as call states, durations, called numbers, contacts info, etc. La vulnerabilidad es que la aplicación de administración de llamadas ("com.android.server.telecom") parcheada por LG envía muchas transmisiones implícitas propiedad de LG que revelan datos sensib... • https://lgsecurity.lge.com/bulletins/mobile#updateDetails • CWE-925: Improper Verification of Intent by Broadcast Receiver •

CVE-2023-44121 – LG ThinQ Service - Intent redirection with system privilege/LaunchAnyWhere
https://notcve.org/view.php?id=CVE-2023-44121
27 Sep 2023 — The vulnerability is an intent redirection in LG ThinQ Service ("com.lge.lms2") in the "com/lge/lms/things/ui/notification/NotificationManager.java" file. This vulnerability could be exploited by a third-party app installed on an LG device by sending a broadcast with the action "com.lge.lms.things.notification.ACTION". Additionally, this vulnerability is very dangerous because LG ThinQ Service is a system app (having android:sharedUserId="android.uid.system" setting). Intent redirection in this app leads to... • https://lgsecurity.lge.com/bulletins/mobile#updateDetails • CWE-926: Improper Export of Android Application Components •

CVE-2023-33911
https://notcve.org/view.php?id=CVE-2023-33911
07 Aug 2023 — In vowifi service, there is a possible missing permission check.This could lead to local information disclosure with no additional execution privileges • https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1687281677639942145 • CWE-862: Missing Authorization •

CVE-2021-26277 – Security Advisory | PendingIntent hijacking vulnerability in Framework Services
https://notcve.org/view.php?id=CVE-2021-26277
17 Feb 2023 — The framework service handles pendingIntent incorrectly, allowing a malicious application with certain privileges to perform privileged actions. • https://www.vivo.com/en/support/security-advisory-detail?id=8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2022-39912
https://notcve.org/view.php?id=CVE-2022-39912
08 Dec 2022 — Improper handling of insufficient permissions vulnerability in setSecureFolderPolicy in PersonaManagerService prior to Android T(13) allows local attackers to set some setting value in Secure folder. Vulnerabilidad de manejo inadecuado de permisos insuficientes en setSecureFolderPolicy en PersonaManagerService anterior a Android T(13) permite a atacantes locales establecer algún valor de configuración en la carpeta segura. • https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=12 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-755: Improper Handling of Exceptional Conditions •