CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38295
https://notcve.org/view.php?id=CVE-2023-38295
22 Apr 2024 — Certain software builds for the TCL 30Z and TCL 10 Android devices contain a vulnerable, pre-installed app that relies on a missing permission that provides no protection at runtime. The missing permission is required as an access permission by components in various pre-installed apps. On the TCL 30Z device, the vulnerable app has a package name of com.tcl.screenrecorder (versionCode='1221092802', versionName='v5.2120.02.12008.1.T' ; versionCode='1221092805', versionName='v5.2120.02.12008.2.T'). On the TCL ... • https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf • CWE-276: Incorrect Default Permissions •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38296
https://notcve.org/view.php?id=CVE-2023-38296
22 Apr 2024 — Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL ... • https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-266: Incorrect Privilege Assignment CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38298
https://notcve.org/view.php?id=CVE-2023-38298
22 Apr 2024 — Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as f... • https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf • CWE-266: Incorrect Privilege Assignment CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-284: Improper Access Control •