Vulnerability Details : CVE-2023-23299
Potential exploit
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others.
Products affected by CVE-2023-23299
- cpe:2.3:a:garmin:connect-iq:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-23299
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 27 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-23299
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-23299
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2023-23299
-
https://developer.garmin.com/connect-iq/core-topics/manifest-and-permissions/
Core TopicsProduct
-
https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23299.md
garmin-ciq-app-research/CVE-2023-23299.md at main · anvilsecure/garmin-ciq-app-research · GitHubExploit
Jump to