CVE-2023-42580
Samsung Galaxy S23 instantgame Improper Input Validation Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper URL validation from MCSLaunch deeplink in Galaxy Store prior to version 4.5.64.4 allows attackers to execute JavaScript API to install APK from Galaxy Store.
La validaciĆ³n de URL incorrecta del enlace profundo MCSLaunch en Galaxy Store anterior a la versiĆ³n 4.5.64.4 permite a los atacantes ejecutar la API de JavaScript para instalar APK desde Galaxy Store.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S23 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the InstantPlaysUrlUtil class. The issue results from a logical error when checking the safety of URIs. An attacker can leverage this vulnerability to execute code in the context of the current user.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-09-11 CVE Reserved
- 2023-12-05 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.samsungmobile.com/serviceWeb.smsb?year=2023&month=12 | 2023-12-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Samsung Search vendor "Samsung" | Galaxy Store Search vendor "Samsung" for product "Galaxy Store" | < 4.5.64.4 Search vendor "Samsung" for product "Galaxy Store" and version " < 4.5.64.4" | - |
Affected
| ||||||