Vulnerability Details : CVE-2023-42468
Potential exploit
The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component. A third-party application (without any permissions) can craft an intent targeting com.cutestudio.dialer.activities.DialerActivity via the android.intent.action.CALL action in conjunction with a tel: URI, thereby placing a phone call.
Products affected by CVE-2023-42468
- cpe:2.3:a:azmobileapps:color_phone:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-42468
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-42468
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2023-42468
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2023-42468
-
https://github.com/actuator/com.cutestudio.colordialer/blob/main/dialerPOC.apk
com.cutestudio.colordialer/dialerPOC.apk at main · actuator/com.cutestudio.colordialer · GitHubExploit
-
https://github.com/actuator/com.cutestudio.colordialer/blob/main/CWE-284.md
com.cutestudio.colordialer/CWE-284.md at main · actuator/com.cutestudio.colordialer · GitHubExploit;Third Party Advisory
-
https://github.com/actuator/com.cutestudio.colordialer/blob/main/dial.gif
com.cutestudio.colordialer/dial.gif at main · actuator/com.cutestudio.colordialer · GitHubExploit
-
https://github.com/actuator/cve/blob/main/CVE-2023-42468
cve/CVE-2023-42468 at main · actuator/cve · GitHubThird Party Advisory
Jump to