CVE-2023-20912

Name of the Vulnerable Software and Affected Versions Android versions prior to the fixed version

Description The issue is related to a missing permission check in the onActivityResult method of AvatarPickerActivity.java. This could allow access to images belonging to other users, potentially leading to local escalation of privilege without requiring additional execution privileges. User interaction is not necessary for exploitation.

Recommendations For Android versions prior to the fixed version, consider restricting access to the AvatarPickerActivity until a patch is available. As a temporary workaround, review and enforce proper permission checks in the onActivityResult method to prevent unauthorized access to user images.