CVE-2023-44122— LockScreenSettings - Theft arbitrary files with system privilege
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-44122
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LockScreenSettings - Theft arbitrary files with system privilege
Source: NVD (National Vulnerability Database)
Vulnerability Description
The vulnerability is to theft of arbitrary files with system privilege in the LockScreenSettings ("com.lge.lockscreensettings") app in the "com/lge/lockscreensettings/dynamicwallpaper/MyCategoryGuideActivity.java" file. The main problem is that the app launches implicit intents that can be intercepted by third-party apps installed on the same device. They also can return arbitrary data that will be passed to the "onActivityResult()" method. The LockScreenSettings app copies the received file to the "/data/shared/dw/mycategory/wallpaper_01.png" path and then changes the file access mode to world-readable and world-writable.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-927
Source: NVD (National Vulnerability Database)
Vulnerability Title
LG Mobile 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
LG mobile是韩国乐金(LG)公司的一系列移动设备产品。 LG Mobile存在安全漏洞。攻击者利用该漏洞将文件访问模式更改为全局可读和全局可写。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| LG Electronics | LG V60 Thin Q 5G(LMV600VM) | Android 12, 13 | - |
II. Public POCs for CVE-2023-44122
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-44122
请登录查看更多情报信息。
- https://lgsecurity.lge.com/bulletins/mobile#updateDetailsvendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-44122
Same Patch Batch · LG Electronics · 2023-09-27 · 9 CVEs total
| CVE-2023-44125 | 6.1 MEDIUM | Personalized service - Theft and (over-)write of arbitrary files with system privilege via |
| CVE-2023-44124 | 6.1 MEDIUM | Screen recording - Theft of arbitrary files with system privilege |
| CVE-2023-44123 | 6.1 MEDIUM | Bluetooth - Theft and (over-)write of arbitrary files with system privilege via PendingInt |
| CVE-2023-44128 | 5.0 MEDIUM | LGInstallService - Deletion of arbitrary files with system privilege |
| CVE-2023-44121 | 5.0 MEDIUM | LG ThinQ Service - Intent redirection with system privilege/LaunchAnyWhere |
| CVE-2023-44129 | 3.6 LOW | Messaging - Gaining access to arbitrary content providers via QClipIntentReceiverActivity |
| CVE-2023-44127 | 3.6 LOW | Call management - Implicit activity intents disclose contact details and phone numbers |
| CVE-2023-44126 | 3.6 LOW | Call management - Implicit intents disclose telephony data such as phone numbers, call sta |
IV. Related Vulnerabilities
Same product: LG V60 Thin Q 5G(LMV600VM)
- CVE-2023-44129
Messaging - Gaining access to arbitrary content providers vi - CVE-2023-44128
LGInstallService - Deletion of arbitrary files with system p - CVE-2023-44127
Call management - Implicit activity intents disclose contact - CVE-2023-44126
Call management - Implicit intents disclose telephony data s - CVE-2023-44125
Personalized service - Theft and (over-)write of arbitrary f
V. Comments for CVE-2023-44122
No comments yet