CVE Daily
← All tags

Tag: Android OS

All CVEs associated with "Android OS". Page 6/76 • 9114 CVEs.

Subscribe CVEs: RSS for “Android OS”  ·  RSS (High+Critical only)

About “Android OS”

A curated feed of “Android OS”-related CVEs appears below. We currently track 9114 CVEs for this tag (all time). In the last 365 days, 361 were published. Average CVSS is 6.8 (all time; 6.1 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-926 - Improper Export of Android Application Components, CWE-451 - User Interface (UI) Misrepresentation of Critical Information, CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor.

In our taxonomy this topic maps to a MODERATE impact class. Issues here typically affect operating system packages or kernels. Plan reboots or service restarts and coordinate rollouts across fleets. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-04-22
High

CVE-2023-38292

Certain software builds for the TCL 20XE Android device contain a vulnerable, pre-installed app with a package name of com.tct.gcs.hiddenmenuproxy (versionCode='2', versionName='v11.0.1.0.0201.0') th…

CVSS: 8.7 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2023-38291

An issue was discovered in a third-party component related to ro.boot.wifimacaddr, shipped on devices from multiple device manufacturers. Various software builds for the following TCL devices (30Z an…

CVSS: 7.1 CWE: CWE-276 - Incorrect Default Permissions View on NVD
High

CVE-2023-38290

Certain software builds for the BLU View 2 and Sharp Rouvo V Android devices contain a vulnerable pre-installed app with a package name of com.evenwell.fqc (versionCode='9020801', versionName='9.0208…

CVSS: 7.8 CWE: CWE-1263 - Improper Physical Access Control View on NVD
2024-04-18
Medium

CVE-2024-29986

Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

CVSS: 5.4 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
2024-04-16
Low

CVE-2024-27086

The MSAL library enabled acquisition of security tokens to call protected APIs. MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to…

CVSS: 3.9 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-04-07
Low

CVE-2024-3430

A vulnerability was found in QKSMS up to 3.9.4 on Android. It has been classified as problematic. This affects an unknown part of the file androidmanifest.xml of the component Backup File Handler. Th…

CVSS: 2.4 CWE: CWE-530 - Exposure of Backup File to an Unauthorized Control Sphere View on NVD
Medium

CVE-2021-4438

A vulnerability, which was classified as critical, has been found in kyivstarteam react-native-sms-user-consent up to 1.1.4 on Android. Affected by this issue is the function registerReceiver of the…

CVSS: 5.3 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2024-04-04
Medium

CVE-2024-31215

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can c…

CVSS: 6.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-04-02
Medium

CVE-2023-6951

A Use of Weak Credentials vulnerability affecting the Wi-Fi network generated by a set of DJI drones could allow a remote attacker to derive the WPA2 PSK key and authenticate without permission to th…

CVSS: 6.6 CWE: CWE-334 - Small Space of Random Values View on NVD
Medium

CVE-2024-20854

Improper handling of insufficient privileges vulnerability in Samsung Camera prior to versions 12.1.0.31 in Android 12, 13.1.02.07 in Android 13, and 14.0.01.06 in Android 14 allows local attackers t…

CVSS: 5.9 CWE: N/A View on NVD
2024-04-01
Low

CVE-2024-3128

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, has been found in Replify-Messenger 1.0 on Android. This issue affects some unknown processing of the file androi…

CVSS: 2.4 CWE: CWE-530 - Exposure of Backup File to an Unauthorized Control Sphere View on NVD
Low

CVE-2024-3124

A vulnerability classified as problematic has been found in fridgecow smartalarm 1.8.1 on Android. This affects an unknown part of the file androidmanifest.xml of the component Backup File Handler. T…

CVSS: 2.4 CWE: CWE-530 - Exposure of Backup File to an Unauthorized Control Sphere View on NVD
Medium

CVE-2024-3130

Hard-coded Credentials in CoolKit eWeLlink app are before 5.4.x on Android and IOS allows local attacker to unauthorized access to sensitive data via Decryption algorithm and key obtained after decom…

CVSS: 5.7 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Medium

CVE-2024-28895

'Yahoo! JAPAN' App for Android v2.3.1 to v3.161.1 and 'Yahoo! JAPAN' App for iOS v3.2.2 to v4.109.0 contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary scri…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-03-28
High

CVE-2024-23727

The YI Smart Kami Vision com.kamivision.yismart application through 1.0.0_20231219 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.…

CVSS: 8.4 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-03-22
High

CVE-2024-29190

Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does n…

CVSS: 7.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2024-03-21
Medium

CVE-2024-28756

The SolarEdge mySolarEdge application before 2.20.1 for Android has a certificate verification issue that allows a Machine-in-the-middle (MitM) attacker to read and alter all network traffic between…

CVSS: 5.9 CWE: CWE-125 - Out-of-bounds Read View on NVD
Medium

CVE-2024-26196

Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability

CVSS: 4.3 CWE: CWE-259 - Use of Hard-coded Password View on NVD
2024-03-18
Low

CVE-2024-28745

Improper export of Android application components issue exists in 'ABEMA' App for Android prior to 10.65.0 allowing another app installed on the user's device to access an arbitrary URL on 'ABEMA' Ap…

CVSS: 3.3 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
2024-03-17
Low

CVE-2024-2567

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as problematic, was found in jurecapuder AndroidWeatherApp 1.0.0 on Android. Affected is an unknown function of the file androidm…

CVSS: 1.8 CWE: CWE-530 - Exposure of Backup File to an Unauthorized Control Sphere View on NVD
2024-03-16
Medium

CVE-2023-36483

Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android  version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote att…

CVSS: 6.5 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-03-13
Medium

CVE-2024-27440

The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don't properly verify server certificates, which allows a man-in-the-middle…

CVSS: 4.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-03-12
High

CVE-2024-26204

Outlook for Android Information Disclosure Vulnerability

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2024-21448

Microsoft Teams for Android Information Disclosure Vulnerability

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2024-03-11
Low

CVE-2024-2365

A vulnerability classified as problematic was found in Musicshelf 1.0/1.1 on Android. Affected by this vulnerability is an unknown functionality of the file io\fabric\sdk\android\services\network\Pin…

CVSS: 1.6 CWE: CWE-916 - Use of Password Hash With Insufficient Computational Effort View on NVD
2024-03-10
Low

CVE-2024-2364

A vulnerability classified as problematic has been found in Musicshelf 1.0/1.1 on Android. Affected is an unknown function of the file androidmanifest.xml of the component Backup Handler. The manipul…

CVSS: 1.8 CWE: CWE-530 - Exposure of Backup File to an Unauthorized Control Sphere View on NVD
2024-03-07
Medium

CVE-2024-26167

Microsoft Edge for Android Spoofing Vulnerability

CVSS: 4.3 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
2024-03-05
Medium

CVE-2024-20840

Improper access control in Samsung Voice Recorder prior to versions 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14 allows physical attackers using hardware keyboard to use VoiceRec…

CVSS: 5.7 CWE: N/A View on NVD
Medium

CVE-2024-20839

Improper access control in Samsung Voice Recorder prior to versions 21.5.16.01 in Android 12 and Android 13, 21.4.51.02 in Android 14 allows physical attackers to access recording files on the lock s…

CVSS: 4.6 CWE: N/A View on NVD
High

CVE-2024-25731

The Elink Smart eSmartCam (com.cn.dq.ipc) application 2.1.5 for Android contains hardcoded AES encryption keys that can be extracted from a binary file. Thus, encryption can be defeated by an attacke…

CVSS: 7.5 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2024-02-29
Medium

CVE-2024-26132

Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the…

CVSS: 4.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2024-26131

Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activ…

CVSS: 8.4 CWE: CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints View on NVD
2024-02-27
Medium

CVE-2021-46935

In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area…

CVSS: 5.5 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2024-02-26
Medium

CVE-2024-27350

Amazon Fire OS 7 before 7.6.6.9 and 8 before 8.1.0.3 allows Fire TV applications to establish local ADB (Android Debug Bridge) connections. NOTE: some third parties dispute whether this has security…

CVSS: 5.9 CWE: N/A View on NVD
2024-02-17
Low

CVE-2022-42443

An undisclosed issue in Trusteer iOS SDK for mobile versions prior to 5.7 and Trusteer Android SDK for mobile versions prior to 5.7 may allow uploading of files. IBM X-Force ID: 238535.

CVSS: 2.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
2024-02-16
High

CVE-2024-25466

Directory Traversal vulnerability in React Native Document Picker before v.9.1.1 and fixed in v.9.1.1 allows a local attacker to execute arbitrary code via a crafted script to the Android library com…

CVSS: 7.8 CWE: CWE-26 - Path Traversal: '/dir/../filename' View on NVD
2024-02-15
Critical

CVE-2024-0390

INPRAX "iZZi connect" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability coul…

CVSS: 9.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2024-02-13
Medium

CVE-2024-21374

Microsoft Teams for Android Information Disclosure Vulnerability

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2024-02-09
High

CVE-2023-6724

Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse. This issue a…

CVSS: 8.8 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
2024-02-06
High

CVE-2024-23304

Cybozu KUNAI for Android 3.0.20 to 3.0.21 allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by performing certain operations.

CVSS: 7.5 CWE: CWE-426 - Untrusted Search Path View on NVD
High

CVE-2023-47889

The Android application BINHDRM26 com.bdrm.superreboot 1.0.3, exposes several critical actions through its exported broadcast receivers. These exposed actions can allow any app on the device to send…

CVSS: 7.8 CWE: CWE-927 - Use of Implicit Intent for Sensitive Communication View on NVD
2024-02-05
High

CVE-2023-47355

The com.eypcnnapps.quickreboot (aka Eyuep Can Yilmaz {ROOT] Quick Reboot) application 1.0.8 for Android has exposed broadcast receivers for PowerOff, Reboot, and Recovery (e.g., com.eypcnnapps.quickr…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2024-01-26
Medium

CVE-2024-23388

Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulne…

CVSS: 6.1 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-21387

Microsoft Edge for Android Spoofing Vulnerability

CVSS: 5.3 CWE: CWE-357 - Insufficient UI Warning of Dangerous Operations View on NVD
Medium

CVE-2024-21382

Microsoft Edge for Android Information Disclosure Vulnerability

CVSS: 4.3 CWE: CWE-942 - Permissive Cross-domain Security Policy with Untrusted Domains View on NVD
2024-01-25
Medium

CVE-2023-33757

A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2024-01-24
Medium

CVE-2024-23453

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. T…

CVSS: 5.5 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2024-01-20
Medium

CVE-2023-46447

The POPS! Rebel application 5.0 for Android, in POPS! Rebel Bluetooth Glucose Monitoring System, sends unencrypted glucose measurements over BLE.

CVSS: 4.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2024-01-15
High

CVE-2023-42137

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks. The attacker must have…

CVSS: 7.8 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
High

CVE-2023-42136

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with…

CVSS: 7.8 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
Medium

CVE-2023-42134

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command. The…

CVSS: 6.8 CWE: CWE-912 - Hidden Functionality View on NVD
2024-01-09
Medium

CVE-2024-21668

react-native-mmkv is a library that allows easy use of MMKV inside React Native applications. Before version 2.11.0, the react-native-mmkv logged the optional encryption key for the MMKV database int…

CVSS: 4.4 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2023-36629

The ST ST54-android-packages-apps-Nfc package before 130-20230215-23W07p0 for Android has an out-of-bounds read.

CVSS: 5.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
2024-01-04
Low

CVE-2024-20805

Path traversal vulnerability in ZipCompressor of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows local attackers to write arbitrary f…

CVSS: 3.3 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-20804

Path traversal vulnerability in FileUriConverter of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows local attackers to write arbitrar…

CVSS: 4.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-01-03
Medium

CVE-2023-6540

A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive infor…

CVSS: 6.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2023-5879

Users’ product account authentication data was stored in clear text in The Genie Company Aladdin Connect Mobile Application Version 5.65 Build 2075 (and below) on Android Devices. This allows the att…

CVSS: 6.8 CWE: CWE-922 - Insecure Storage of Sensitive Information View on NVD
High

CVE-2024-21633

Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by atta…

CVSS: 7.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-01-02
Medium

CVE-2023-49794

KernelSU is a Kernel-based root solution for Android devices. In versions 0.7.1 and prior, the logic of get apk path in KernelSU kernel module can be bypassed, which causes any malicious apk named `m…

CVSS: 6.7 CWE: CWE-290 - Authentication Bypass by Spoofing View on NVD
2023-12-31
Low

CVE-2023-52275

Gallery3d on Tecno Camon X CA7 devices allows attackers to view hidden images by navigating to data/com.android.gallery3d/.privatealbum/.encryptfiles and guessing the correct image file extension.

CVSS: 2.1 CWE: CWE-862 - Missing Authorization View on NVD
2023-12-30
High

CVE-2023-6998

Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.

CVSS: 7.7 CWE: CWE-305 - Authentication Bypass by Primary Weakness View on NVD
2023-12-27
Medium

CVE-2023-46918

Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be levera…

CVSS: 4.6 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
Critical

CVE-2023-47883

The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity.

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2023-47882

The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9_20231127 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yic…

CVSS: 7.1 CWE: N/A View on NVD
Critical

CVE-2023-43955

The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perfo…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-12-19
Medium

CVE-2023-6870

Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox. *This issue only affects Android versions of Firefox and Firefox…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2023-6868

In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthori…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2023-6857

When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller than necessary. *This bug only affects Firefox on Unix-based operating systems (Android, Linu…

CVSS: 5.3 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2023-12-14
High

CVE-2023-42801

Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit f57bd745b4cbed577ea654fad4701bea4d…

CVSS: 7.6 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2023-12-13
Medium

CVE-2023-43583

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information v…

CVSS: 4.9 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2023-12-12
High

CVE-2023-6542

Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly f…

CVSS: 7.1 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-12-05
Medium

CVE-2023-42579

Improper usage of insecure protocol (i.e. HTTP) in SogouSDK of Chinese Samsung Keyboard prior to versions 5.3.70.1 in Android 11, 5.4.60.49, 5.4.85.5, 5.5.00.58 in Android 12, and 5.6.00.52, 5.6.10.4…

CVSS: 6.5 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
Medium

CVE-2023-42577

Improper Access Control in Samsung Voice Recorder prior to versions 21.4.15.01 in Android 12 and Android 13, 21.4.50.17 in Android 14 allows physical attackers to access Voice Recorder information on…

CVSS: 6.8 CWE: N/A View on NVD
2023-12-04
High

CVE-2023-40088

In callback_thread_event of com_android_bluetooth_btservice_AdapterService.cpp, there is a possible memory corruption due to a use after free. This could lead to remote (proximal/adjacent) code execu…

CVSS: 8.8 CWE: CWE-416 - Use After Free View on NVD
2023-11-27
Medium

CVE-2023-25632

The Android Mobile Whale browser app before 3.0.1.2 allows the attacker to bypass its browser unlock function via 'Open in Whale' feature.

CVSS: 5.5 CWE: CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor View on NVD
2023-11-14
Low

CVE-2023-38411

Improper access control in the Intel Smart Campus android application before version 9.4 may allow an authenticated user to potentially enable escalation of privilege via local access.

CVSS: 3.9 CWE: CWE-284 - Improper Access Control View on NVD
Medium

CVE-2023-33872

Improper access control in the Intel Support android application all verions may allow an authenticated user to potentially enable information disclosure via local access.

CVSS: 5.5 CWE: CWE-284 - Improper Access Control View on NVD
2023-11-07
Medium

CVE-2023-42552

Implicit intent hijacking vulnerability in Firewall application prior to versions 12.1.00.24 in Android 11, 13.1.00.16 in Android 12 and 14.1.00.7 in Android 13 allows 3rd party application to tamper…

CVSS: 4.4 CWE: N/A View on NVD
Medium

CVE-2023-42545

Use of implicit intent for sensitive communication vulnerability in Phone prior to versions 12.7.20.12 in Android 11, 13.1.48, 13.5.28 in Android 12, and 14.7.38 in Android 13 allows attackers to acc…

CVSS: 5.5 CWE: N/A View on NVD
2023-11-03
Critical

CVE-2023-36621

An issue was discovered in the Boomerang Parental Control application through 13.83 for Android. The child can use Safe Mode to remove all restrictions temporarily or uninstall the application withou…

CVSS: 9.1 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-36620

An issue was discovered in the Boomerang Parental Control application before 13.83 for Android. The app is missing the android:allowBackup="false" attribute in the manifest. This allows the user to b…

CVSS: 4.6 CWE: CWE-284 - Improper Access Control View on NVD
2023-10-31
Medium

CVE-2015-2968

LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be…

CVSS: 5.9 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
Medium

CVE-2015-0897

LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a r…

CVSS: 5.9 CWE: CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel View on NVD
Medium

CVE-2023-46139

KernelSU is a Kernel based root solution for Android. Starting in version 0.6.1 and prior to version 0.7.0, if a KernelSU installed device is infected with a malware whose app signing block specially…

CVSS: 5.0 CWE: CWE-863 - Incorrect Authorization View on NVD
2023-10-30
High

CVE-2023-21358

In UWB Google, there is a possible way for a malicious app to masquerade as system app com.android.uwb.resources due to improperly used crypto. This could lead to local escalation of privilege with n…

CVSS: 7.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
Medium

CVE-2023-21307

In Bluetooth, there is a possible way for a paired Bluetooth device to access a long term identifier for an Android device due to a permissions bypass. This could lead to local information disclosure…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2023-10-27
High

CVE-2023-40140

In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no…

CVSS: 7.8 CWE: CWE-416 - Use After Free View on NVD
2023-10-25
High

CVE-2023-46102

The Android Client application, when enrolled to the AppHub server, connects to an MQTT broker to exchange messages and receive commands to execute on the HMI device. The protocol builds on top of…

CVSS: 8.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2023-45851

The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication.  This issue allows an attacker to force the Android Cli…

CVSS: 8.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2023-45844

The vulnerability allows a low privileged user that have access to the device when locked in Kiosk mode to install an arbitrary Android application and leverage it to have access to critical device s…

CVSS: 6.8 CWE: CWE-284 - Improper Access Control View on NVD
High

CVE-2023-45321

The Android Client application, when enrolled with the define method 1 (the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credenti…

CVSS: 8.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
High

CVE-2023-45220

The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentia…

CVSS: 8.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
High

CVE-2023-43488

The vulnerability allows a low privileged (untrusted) application to modify a critical system property that should be denied, in order to enable the ADB (Android Debug Bridge) protocol to be exposed…

CVSS: 7.9 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2023-41960

The vulnerability allows an unprivileged(untrusted) third-party application to interact with a content-provider unsafely exposed by the Android Agent application, potentially modifying sensitive sett…

CVSS: 7.1 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
High

CVE-2023-41372

The vulnerability allows an unprivileged (untrusted) third- party application to arbitrary modify the server settings of the Android Client application, inducing it to connect to an attacker - contro…

CVSS: 7.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
High

CVE-2023-41255

The vulnerability allows an unprivileged user with access to the subnet of the TPC-110W device to gain a root shell on the device itself abusing the lack of authentication of the ‘su’ binary file i…

CVSS: 8.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
Medium

CVE-2023-36085

The sisqualWFM 7.1.319.103 thru 7.1.319.111 for Android, has a host header injection vulnerability in its "/sisqualIdentityServer/core/" endpoint. By modifying the HTTP Host header, an attacker can c…

CVSS: 6.1 CWE: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect') View on NVD
2023-10-19
High

CVE-2023-41898

Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of at…

CVSS: 8.6 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-10-09
Critical

CVE-2023-5365

HP LIFE Android Mobile application is potentially vulnerable to escalation of privilege and/or information disclosure.

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
2023-09-27
Low

CVE-2023-44129

The vulnerability is that the Messaging ("com.android.mms") app patched by LG forwards attacker-controlled intents back to the attacker in the exported "com.android.mms.ui.QClipIntentReceiverActivity…

CVSS: 3.6 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
Low

CVE-2023-44127

he vulnerability is that the Call management ("com.android.server.telecom") app patched by LG launches implicit intents that disclose sensitive data to all third-party apps installed on the same devi…

CVSS: 3.6 CWE: CWE-927 - Use of Implicit Intent for Sensitive Communication View on NVD
Low

CVE-2023-44126

The vulnerability is that the Call management ("com.android.server.telecom") app patched by LG sends a lot of LG-owned implicit broadcasts that disclose sensitive data to all third-party apps install…

CVSS: 3.6 CWE: CWE-925 - Improper Verification of Intent by Broadcast Receiver View on NVD
Medium

CVE-2023-44125

The vulnerability is the use of implicit PendingIntents without the PendingIntent.FLAG_IMMUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Personaliz…

CVSS: 6.1 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2023-44123

The vulnerability is the use of implicit PendingIntents with the PendingIntent.FLAG_MUTABLE set that leads to theft and/or (over-)write of arbitrary files with system privilege in the Bluetooth ("com…

CVSS: 6.1 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2023-44121

The vulnerability is an intent redirection in LG ThinQ Service ("com.lge.lms2") in the "com/lge/lms/things/ui/notification/NotificationManager.java" file. This vulnerability could be exploited by a t…

CVSS: 5.0 CWE: CWE-926 - Improper Export of Android Application Components View on NVD
2023-09-20
Medium

CVE-2023-31014

NVIDIA GeForce Now for Android contains a vulnerability in the game launcher component, where a malicious application on the same device can process the implicit intent meant for the streamer compone…

CVSS: 4.2 CWE: CWE-927 - Use of Implicit Intent for Sensitive Communication View on NVD
2023-09-13
Medium

CVE-2023-42468

The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.a…

CVSS: 5.3 CWE: CWE-269 - Improper Privilege Management View on NVD
Low

CVE-2023-42469

The com.full.dialer.top.secure.encrypted application through 1.0.1 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a craft…

CVSS: 3.3 CWE: CWE-862 - Missing Authorization View on NVD
2023-09-12
Medium

CVE-2023-4907

Inappropriate implementation in Intents in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to obfuscate security UI via a crafted HTML page. (Chromium security severity: Low)

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2023-4903

Inappropriate implementation in Custom Mobile Tabs in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to spoof security UI via a crafted HTML page. (Chromium security severi…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2023-4900

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 117.0.5938.62 allowed a remote attacker to obfuscate a permission prompt via a crafted HTML page. (Chromium security s…

CVSS: 4.3 CWE: N/A View on NVD
2023-09-11
Critical

CVE-2023-42471

The wave.ai.browser application through 1.0.35 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. It contains a manifest entry that exports the wave.ai.br…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2023-42470

The Imou Life com.mm.android.smartlifeiot application through 6.8.0 for Android allows Remote Code Execution via a crafted intent to an exported component. This relates to the com.mm.android.easy4ip.…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2023-40040

An issue was discovered in the MyCrops HiGrade "THC Testing & Cannabi" application 1.0.337 for Android. A remote attacker can start the camera feed via the com.cordovaplugincamerapreview.CameraActivi…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
2023-09-06
Low

CVE-2023-30730

Implicit intent hijacking vulnerability in Camera prior to versions 11.0.16.43 in Android 11, 12.1.00.30, 12.0.07.53, 12.1.03.10 in Android 12, and 13.0.01.43, 13.1.00.83 in Android 13 allows local a…

CVSS: 3.3 CWE: N/A View on NVD
Medium

CVE-2023-30718

Improper export of android application components vulnerability in WifiApAutoHotspotEnablingActivity prior to SMR Sep-2023 Release 1 allows local attacker to change a Auto Hotspot setting.

CVSS: 4.0 CWE: N/A View on NVD
2023-08-29
Low

CVE-2023-0654

Due to a misconfiguration, the WARP Mobile Client (< 6.29) for Android was susceptible to a tapjacking attack. In the event that an attacker built a malicious application and managed to install it on…

CVSS: 3.9 CWE: CWE-1021 - Improper Restriction of Rendered UI Layers or Frames View on NVD
Low

CVE-2023-0238

Due to lack of a security policy, the WARP Mobile Client (<=6.29) for Android was susceptible to this vulnerability which allowed a malicious app installed on a victim's device to exploit a peculiari…

CVSS: 3.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-08-25
Medium

CVE-2023-40530

Improper authorization in handler for custom URL scheme issue in 'Skylark' App for Android 6.2.13 and earlier and 'Skylark' App for iOS 6.2.13 and earlier allows an attacker to lead a user to access…

CVSS: 4.7 CWE: CWE-862 - Missing Authorization View on NVD
2023-08-16
Medium

CVE-2023-39507

Improper authorization in the custom URL scheme handler in "Rikunabi NEXT" App for Android prior to ver. 11.5.0 allows a malicious intent to lead the vulnerable App to access an arbitrary website.

CVSS: 6.1 CWE: CWE-862 - Missing Authorization View on NVD