PT-2023-28358 · Unknown · Com.Cutestudio.Colordialer
Edward Warren
·
Published
2023-09-13
·
Updated
2024-09-26
·
CVE-2023-42468
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
com.cutestudio.colordialer versions 2.1.8-2 and earlier
Description
The issue allows a remote attacker to initiate phone calls without user consent due to improper export of the
com.cutestudio.dialer.activities.DialerActivity component. A third-party application can craft an intent targeting com.cutestudio.dialer.activities.DialerActivity via the android.intent.action.CALL action in conjunction with a tel: URI, thereby placing a phone call.Recommendations
For versions 2.1.8-2 and earlier, consider disabling the
com.cutestudio.dialer.activities.DialerActivity component until a patch is available to prevent unauthorized phone calls. Restrict access to the android.intent.action.CALL action to minimize the risk of exploitation. Avoid using the tel: URI scheme in conjunction with the com.cutestudio.dialer.activities.DialerActivity component until the issue is resolved.Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Com.Cutestudio.Colordialer