Sign-up

ID

VAR-202312-0868


CVE

CVE-2023-42581


TITLE

Samsung's  Galaxy Store  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-018957

DESCRIPTION

Improper URL validation from InstantPlay deeplink in Galaxy Store prior to version 4.5.64.4 allows attackers to execute JavaScript API to access data. Samsung's Galaxy Store Exists in unspecified vulnerabilities.Information may be obtained. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S23 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the implementation of the samsungapps URI scheme. The issue results from a logical error when checking the safety of URIs. An attacker can leverage this vulnerability to execute code in the context of the current user

Trust: 2.25

sources: NVD: CVE-2023-42581 // JVNDB: JVNDB-2023-018957 // ZDI: ZDI-24-830

AFFECTED PRODUCTS

vendor:samsungmodel:galaxy storescope:ltversion:4.5.64.4

Trust: 1.0

vendor:サムスンmodel:galaxy storescope:eqversion:4.5.64.4

Trust: 0.8

vendor:サムスンmodel:galaxy storescope:eqversion: -

Trust: 0.8

vendor:サムスンmodel:galaxy storescope: - version: -

Trust: 0.8

vendor:samsungmodel:galaxy s23scope: - version: -

Trust: 0.7

sources: ZDI: ZDI-24-830 // JVNDB: JVNDB-2023-018957 // NVD: CVE-2023-42581

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-42581
value: HIGH

Trust: 1.0

mobile.security@samsung.com: CVE-2023-42581
value: HIGH

Trust: 1.0

NVD: CVE-2023-42581
value: HIGH

Trust: 0.8

ZDI: CVE-2023-42581
value: HIGH

Trust: 0.7

nvd@nist.gov: CVE-2023-42581
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

mobile.security@samsung.com: CVE-2023-42581
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.6
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-42581
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2023-42581
baseSeverity: HIGH
baseScore: 8.8
vectorString: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-24-830 // JVNDB: JVNDB-2023-018957 // NVD: CVE-2023-42581 // NVD: CVE-2023-42581

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-20

Trust: 1.0

problemtype:others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-018957 // NVD: CVE-2023-42581

PATCH

title:Samsung has issued an update to correct this vulnerability.url:https://security.samsungmobile.com/serviceWeb.smsb?year=2023&month=12

Trust: 0.7

sources: ZDI: ZDI-24-830

EXTERNAL IDS

db:NVDid:CVE-2023-42581

Trust: 3.3

db:JVNDBid:JVNDB-2023-018957

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-22368

Trust: 0.7

db:ZDIid:ZDI-24-830

Trust: 0.7

sources: ZDI: ZDI-24-830 // JVNDB: JVNDB-2023-018957 // NVD: CVE-2023-42581

REFERENCES

url:https://security.samsungmobile.com/serviceweb.smsb?year=2023&month=12

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2023-42581

Trust: 0.8

sources: ZDI: ZDI-24-830 // JVNDB: JVNDB-2023-018957 // NVD: CVE-2023-42581

CREDITS

Interrupt Labs

Trust: 0.7

sources: ZDI: ZDI-24-830

SOURCES

db:ZDIid:ZDI-24-830
db:JVNDBid:JVNDB-2023-018957
db:NVDid:CVE-2023-42581

LAST UPDATE DATE

2024-08-31T22:56:31.646000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-24-830date:2024-08-15T00:00:00
db:JVNDBid:JVNDB-2023-018957date:2024-01-12T02:17:00
db:NVDid:CVE-2023-42581date:2024-08-29T20:35:21.950

SOURCES RELEASE DATE

db:ZDIid:ZDI-24-830date:2024-06-21T00:00:00
db:JVNDBid:JVNDB-2023-018957date:2024-01-12T00:00:00
db:NVDid:CVE-2023-42581date:2023-12-05T03:15:19.293