// For flags

CVE-2021-44751

F-Secure SAFE Browser vulnerable to USSD attacks

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction.

Se ha detectado una vulnerabilidad que afecta al navegador F-Secure SAFE anterior al 22 de marzo de 2022. Un sitio web diseñado de forma maliciosa y adjunto con código USSD en JavaScript o iFrame puede desencadenar la aplicación de marcador del navegador F-Secure, que puede ser explotada por un atacante para enviar mensajes USSD no deseados o llevar a cabo llamadas no deseadas. En la mayoría de los Sistemas Operativos Android modernos, la aplicación de marcación requiere la interacción del usuario, sin embargo, algunos sistemas operativos Android más antiguos pueden no necesitar la interacción del usuario

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-12-08 CVE Reserved
  • 2022-03-25 CVE Published
  • 2024-08-04 CVE Updated
  • 2024-10-29 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-276: Incorrect Default Permissions
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
F-secure
Search vendor "F-secure"
Safe
Search vendor "F-secure" for product "Safe"
< 18.5
Search vendor "F-secure" for product "Safe" and version " < 18.5"
android
Affected