Vulnerability Details : CVE-2023-42468

The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component. A third-party application (without any permissions) can craft an intent targeting com.cutestudio.dialer.activities.DialerActivity via the android.intent.action.CALL action in conjunction with a tel: URI, thereby placing a phone call.

Published 2023-09-13 20:15:08

Updated 2023-09-18 18:36:35

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2023-42468

Probability of exploitation activity in the next 30 days: 0.10%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 42 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2023-42468

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	3.9	1.4	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

References for CVE-2023-42468

https://github.com/actuator/com.cutestudio.colordialer/blob/main/dialerPOC.apk

Exploit
https://github.com/actuator/com.cutestudio.colordialer/blob/main/CWE-284.md

Exploit;Third Party Advisory
https://github.com/actuator/com.cutestudio.colordialer/blob/main/dial.gif

Exploit
https://github.com/actuator/cve/blob/main/CVE-2023-42468

Third Party Advisory

Products affected by CVE-2023-42468

Azmobileapps » Color Phone » For Android
Versions up to, including, (<=) 2.1.8-2
cpe:2.3:a:azmobileapps:color_phone:*:*:*:*:*:android:*:*
Matching versions