CVE-2023-27108

Name of the Vulnerable Software and Affected Versions KaiOS version 3.0

Description An issue was discovered in the pre-installed Communications application, which exposes a Web Activity that returns the user's call log without origin or permission checks. An attacker can inject a JavaScript payload that runs in a browser or app without user interaction or consent, allowing the attacker to send the user's call logs to a remote server via XMLHttpRequest or Fetch.

Recommendations For KaiOS version 3.0, consider disabling the Web Activity in the Communications application until a patch is available to prevent unauthorized access to the user's call log. Restrict access to sensitive information to minimize the risk of exploitation.