CVE-2023-43955

critical

Description

The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData.

References

https://github.com/truefedex/tv-bro/pull/182#issue-1901769895

https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/poc.apk

https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/CWE-94.md

https://github.com/actuator/com.phlox.tvwebbrowser

Details

Source: Mitre, NVD

Published: 2023-12-27

Updated: 2024-01-09

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical