PT-2024-26876 · Unknown · Com.Nll.Cb

Edward Warren

Published

2024-11-07

Updated

2024-11-08

CVE-2024-36064

CVSS v3.1

6.2

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions com.nll.cb (aka ACR Phone) versions 0.330-playStore-NoAccessibility-arm8 and earlier

Description The issue allows any installed application, without requiring permissions, to place phone calls without user interaction. This is achieved by sending a crafted intent via the com.nll.cb.dialer.dialer.DialerActivity component.

Recommendations For versions 0.330-playStore-NoAccessibility-arm8 and earlier, update to a patched version as soon as it is released. As a temporary workaround, consider restricting access to the com.nll.cb.dialer.dialer.DialerActivity component until a patch is available.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2024-36064

Affected Products

Com.Nll.Cb

PT-2024-26876 · Unknown · Com.Nll.Cb

CVE-2024-36064

Weakness Enumeration

Related Identifiers

Affected Products

References · 6