CVE-2023-23306

Name of the Vulnerable Software and Affected Versions CIQ API versions 2.2.0 through 4.1.7

Description The Toybox.Ant.BurstPayload.add API method suffers from a type confusion issue, which can result in an out-of-bounds write operation. A malicious application could create a specially crafted Toybox.Ant.BurstPayload object, call its add method, override arbitrary memory and hijack the execution of the device's firmware.

Recommendations For CIQ API versions 2.2.0 through 4.1.7, consider disabling the Toybox.Ant.BurstPayload.add API method until a patch is available to prevent potential exploitation. Restrict access to the Toybox.Ant.BurstPayload object to minimize the risk of arbitrary memory override and firmware hijacking. Avoid using the add method in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.