CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1CVE-2019-12087
https://notcve.org/view.php?id=CVE-2019-12087
Samsung S9+, S10, and XCover 4 P(9.0) devices can become temporarily inoperable because of an unprotected intent in the ContainerAgent application. For example, the victim becomes stuck in a launcher with their Secure Folder locked. NOTE: the researcher mentions "the Samsung Security Team considered this issue as no/little security impact. ** EN DISPUTA ** Los dispositivos Samsung S9+, S10 y XCover 4 P(9.0) pueden quedar temporalmente inutilizados debido a un intent desprotegido en la aplicación ContainerAgent. Por ejemplo, la víctima queda atrapada en un lanzador con su Carpeta Segura bloqueada. NOTA: el investigador menciona que "el equipo de seguridad de Samsung consideró que este asunto no tenía ningún impacto en la seguridad". • https://github.com/fs0c131y/SamsungLocker • CWE-399: Resource Management Errors •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2019-6740 – Samsung Galaxy S9 ASN.1 Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-6740
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to January 2019 Security Update (SMR-JAN-2019 - SVE-2018-13467). User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the ASN.1 parser. When parsing ASN.1 strings, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.zerodayinitiative.com/advisories/ZDI-19-253 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-6741 – Samsung Galaxy S9 Untrusted Site Redirection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-6741
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to January 2019 Security Update (SMR-JAN-2019 - SVE-2018-13467). User interaction is required to exploit this vulnerability in that the target must connect to a wireless network. The specific flaw exists within the captive portal. By manipulating HTML, an attacker can force a page redirection. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.zerodayinitiative.com/advisories/ZDI-19-254 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 4%CPEs: 2EXPL: 0CVE-2019-6742 – Samsung Galaxy S9 GameServiceReceiver Unsafe Updates Validation Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2019-6742
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to 1.4.20.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the GameServiceReceiver update mechanism. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-7477. • https://www.zerodayinitiative.com/advisories/ZDI-19-255 • CWE-358: Improperly Implemented Security Check for Standard •