CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-44126 – Call management - Implicit intents disclose telephony data such as phone numbers, call states, contacts
https://notcve.org/view.php?id=CVE-2023-44126
The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned implicit broadcasts that disclose sensitive data to all third-party apps installed on the same device. Those intents include data such as call states, durations, called numbers, contacts info, etc. La vulnerabilidad es que la aplicación de administración de llamadas ("com.android.server.telecom") parcheada por LG envía muchas transmisiones implícitas propiedad de LG que revelan datos sensibles a todas las aplicaciones de terceros instaladas en el mismo dispositivo. Esas intenciones incluyen datos como estados de llamadas, duraciones, números llamados, información de contactos, etc. • https://lgsecurity.lge.com/bulletins/mobile#updateDetails • CWE-925: Improper Verification of Intent by Broadcast Receiver •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-44121 – LG ThinQ Service - Intent redirection with system privilege/LaunchAnyWhere
https://notcve.org/view.php?id=CVE-2023-44121
The vulnerability is an intent redirection in LG ThinQ Service ("com.lge.lms2") in the "com/lge/lms/things/ui/notification/NotificationManager.java" file. This vulnerability could be exploited by a third-party app installed on an LG device by sending a broadcast with the action "com.lge.lms.things.notification.ACTION". Additionally, this vulnerability is very dangerous because LG ThinQ Service is a system app (having android:sharedUserId="android.uid.system" setting). Intent redirection in this app leads to accessing arbitrary not exported activities of absolutely all apps. La vulnerabilidad es una redirección de intención en LG ThinQ Service ("com.lge.lms2") en el archivo "com/lge/lms/things/ui/notification/NotificationManager.java". • https://lgsecurity.lge.com/bulletins/mobile#updateDetails • CWE-926: Improper Export of Android Application Components •
CVSS: 6.7EPSS: 0%CPEs: 55EXPL: 0CVE-2023-20811
https://notcve.org/view.php?id=CVE-2023-20811
In IOMMU, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061. • https://corp.mediatek.com/product-security-bulletin/August-2023 • CWE-787: Out-of-bounds Write •
CVSS: 4.4EPSS: 0%CPEs: 55EXPL: 0CVE-2023-20810
https://notcve.org/view.php?id=CVE-2023-20810
In IOMMU, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03692061; Issue ID: DTV03692061. • https://corp.mediatek.com/product-security-bulletin/August-2023 •
CVSS: 6.7EPSS: 0%CPEs: 54EXPL: 0CVE-2023-20809
https://notcve.org/view.php?id=CVE-2023-20809
In vdec, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03751198; Issue ID: DTV03751198. • https://corp.mediatek.com/product-security-bulletin/August-2023 • CWE-787: Out-of-bounds Write •