Rewterz Threat Advisory – CVE-2023-37988 – WordPress Contact Form Generator Plugin Vulnerability
August 16, 2023Rewterz Threat Advisory – CVE-2023-33013 – Zyxel NBG6604 Devices Vulnerability
August 16, 2023Rewterz Threat Advisory – CVE-2023-37988 – WordPress Contact Form Generator Plugin Vulnerability
August 16, 2023Rewterz Threat Advisory – CVE-2023-33013 – Zyxel NBG6604 Devices Vulnerability
August 16, 2023Severity
Medium
Analysis Summary
CVE-2023-21132 CVSS:6.4
Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.
CVE-2023-21133 CVSS:6.4
Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.
CVE-2023-21134 CVSS:6.4
Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.
CVE-2023-21140 CVSS:6.4
Google Android could allow a physically proximate attacker to gain elevated privileges on the system, caused by a missing permission check in onCreate of ManagePermissionsActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges. Note: device must have been factory reset.
CVE-2023-21229 CVSS:8.4
Google Android could allow a local attacker to gain elevated privileges on the system, caused by an unsafe PendingIntent in registerServiceLocked of ManagedServices.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-21230 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by a precondition check failure in onAccessPointChanged of AccessPointPreference.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21231 CVSS:8.4
Google Android could allow a local attacker to gain elevated privileges on the system, caused by a missing permission check in getIntentForButton of ButtonManager.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-21269 CVSS:8.4
Google Android could allow a local attacker to gain elevated privileges on the system, caused by a BAL bypass flaw in startActivityInner of ActivityStarter.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-21271 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by an out of bounds read in parseInputs of ShimPreparedModel.cpp. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21272 CVSS:8.4
Google Android could allow a local attacker to gain elevated privileges on the system, caused by a bad URI permission grant in readFrom of Uri.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-21273 CVSS:9.8
Google Android could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds write in SDP_AddAttribute of sdp_db.cc. By executing a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-21274 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by an out of bounds read in convertSubgraphFromHAL of ShimConverter.cpp. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21275 CVSS:8.4
Google Android could allow a local attacker to gain elevated privileges on the system, caused by a logic error in the code in decideCancelProvisioningDialog of AdminIntegratedFlowPrepareActivity.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-21276 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by the use of uninitialized data in writeToParcel of CursorWindow.cpp. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21277 CVSS:5.5
Google Android could allow a local authenticated attacker to obtain sensitive information, caused by a missing permission check in visitUris of RemoteViews.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21278 CVSS:8.4
Google Android could allow a local attacker to gain elevated privileges on the system, caused by a logic error in the code in multiple locations. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-21279 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in visitUris of RemoteViews.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21282 CVSS:8.8
Google Android could allow a remote attacker to execute arbitrary code on the system, caused by an incorrect bounds check in TRANSPOSER_SETTINGS of lpp_tran.h. By persuading a victim to execute a specially crafted application, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-21283 CVSS:5.5
Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in multiple functions of StatusHints.java. By persuading a victim to execute a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21284 CVSS:5.5
Google Android is vulnerable to a denial of service, caused by improper input validation in multiple functions of DevicePolicyManager.java. By executing a specially crafted application, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-21285 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in setMetadata of MediaSessionRecord.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21286 CVSS:8.4
Google Android could allow a local attacker to gain elevated privileges on the system, caused by a missing permission check in visitUris of RemoteViews.java. By executing a specially crafted application, an attacker could exploit this vulnerability to gain elevated privileges.
CVE-2023-21288 CVSS:5.5
Google Android could allow a local authenticated attacker to obtain sensitive information, caused by a missing permission check in visitUris of Notification.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21289 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in multiple locations. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2023-21290 CVSS:6.2
Google Android is vulnerable to a denial of service, caused by a race condition in update of MmsProvider.java. By executing a specially crafted application, a local attacker could exploit this vulnerability to cause a denial of service.
CVE-2023-21292 CVSS:6.2
Google Android could allow a local attacker to obtain sensitive information, caused by a confused deputy in openContentUri of ActivityManagerService.java. By executing a specially crafted application, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Impact
- Information Disclosure
- Code Execution
- Privilege Escalation
- Denial of Service
Indicators Of Compromise
CVE
- CVE-2023-21132
- CVE-2023-21133
- CVE-2023-21134
- CVE-2023-21140
- CVE-2023-21229
- CVE-2023-21230
- CVE-2023-21231
- CVE-2023-21269
- CVE-2023-21271
- CVE-2023-21272
- CVE-2023-21273
- CVE-2023-21274
- CVE-2023-21275
- CVE-2023-21276
- CVE-2023-21277
- CVE-2023-21278
- CVE-2023-21279
- CVE-2023-21282
- CVE-2023-21283
- CVE-2023-21284
- CVE-2023-21285
- CVE-2023-21286
- CVE-2023-21288
- CVE-2023-21289
- CVE-2023-21290
- CVE-2023-21292
Affected Vendors
Affected Products
- Google Android.
Remediation
Refer to Android Open Source Project for patch, upgrade or suggested workaround information.