CVE-2023-42581
Samsung Galaxy S23 Instant Plays Improper Input Validation Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper URL validation from InstantPlay deeplink in Galaxy Store prior to version 4.5.64.4 allows attackers to execute JavaScript API to access data.
La validaciĆ³n incorrecta de la URL del enlace profundo de InstantPlay en Galaxy Store antes de la versiĆ³n 4.5.64.4 permite a los atacantes ejecutar la API de JavaScript para acceder a los datos.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S23 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the implementation of the samsungapps URI scheme. The issue results from a logical error when checking the safety of URIs. An attacker can leverage this vulnerability to execute code in the context of the current user.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-09-11 CVE Reserved
- 2023-12-05 CVE Published
- 2024-08-28 CVE Updated
- 2024-08-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://security.samsungmobile.com/serviceWeb.smsb?year=2023&month=12 | 2023-12-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Samsung Search vendor "Samsung" | Galaxy Store Search vendor "Samsung" for product "Galaxy Store" | < 4.5.64.4 Search vendor "Samsung" for product "Galaxy Store" and version " < 4.5.64.4" | - |
Affected
| ||||||