CVE-2023-23303

Name of the Vulnerable Software and Affected Versions CIQ API versions 3.2.0 through 4.1.7

Description The issue concerns the Toybox.Ant.GenericChannel.enableEncryption API method, which fails to validate its parameters. This can lead to buffer overflows when copying attributes, potentially allowing a malicious application to hijack the device's firmware execution by calling the API method with a specially crafted object.

Recommendations For CIQ API versions 3.2.0 through 4.1.7, consider disabling the Toybox.Ant.GenericChannel.enableEncryption API method until a patch is available to prevent potential buffer overflows and hijacking of the device's firmware. At the moment, there is no information about a newer version that contains a fix for this vulnerability.