uthrasri

40 exploits Active since Aug 2014
CVE-2023-21285 NOMISEC MEDIUM STUB
Android - Local Information Disclosure via MediaSessionRecord setMetadata
In setMetadata of MediaSessionRecord.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
1 stars
CVSS 5.5
CVE-2021-0390 NOMISEC HIGH WRITEUP
Android - Missing Authorization in WifiNetworkSuggestionsManager
In various methods of WifiNetworkSuggestionsManager.java, there is a possible modification of suggested networks due to a missing permission check. This could lead to local escalation of privilege by a background user on the same device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174749461
1 stars
CVSS 7.8
CVE-2025-26417 NOMISEC MEDIUM STUB
Android - Local Information Disclosure via DownloadProvider Confused Deputy
In checkWhetherCallingAppHasAccess of DownloadProvider.java, there is a possible bypass of user consent when opening files in shared storage due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS 4.0
CVE-2024-8176 NOMISEC HIGH STUB
Red Hat Enterprise Linux 10 - Denial of Service via Recursive Entity Expansion in libexpat
A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.
CVSS 7.5
CVE-2024-34739 NOMISEC HIGH WRITEUP
Android - Local Privilege Escalation via UsbProfileGroupSettingsManager Logic Error
In shouldRestrictOverlayActivities of UsbProfileGroupSettingsManager.java, there is a possible escape from SUW due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
CVSS 7.8
CVE-2024-34741 NOMISEC HIGH STUB
Android - Local Privilege Escalation via Lock Screen Visibility Logic Error
In setForceHideNonSystemOverlayWindowIfNeeded of WindowState.java, there is a possible way for message content to be visible on the screensaver while lock screen visibility settings are restricted by the user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS 7.8
CVE-2024-2193 NOMISEC MEDIUM WORKING POC
CPU <Speculative Execution - Info Disclosure
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths.
CVSS 5.7
CVE-2023-5717 NOMISEC HIGH STUB
Linux Kernel 3.2.95-3.2.99 - Heap Out-of-bounds Write in Performance Events Component
A heap out-of-bounds write vulnerability in the Linux kernel's Linux Kernel Performance Events (perf) component can be exploited to achieve local privilege escalation. If perf_read_group() is called while an event's sibling_list is smaller than its child's sibling_list, it can increment or write to memory locations outside of the allocated buffer. We recommend upgrading past commit 32671e3799ca2e4590773fd0e63aaa4229e50c06.
CVSS 7.8
CVE-2024-23708 NOMISEC HIGH WRITEUP
NotificationManagerService - Privilege Escalation
In multiple functions of NotificationManagerService.java, there is a possible way to not show a toast message when a clipboard message has been accessed. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS 7.8
CVE-2024-0030 NOMISEC MEDIUM WRITEUP
Android - Out-of-Bounds Read in btif_to_bta_response
In btif_to_bta_response of btif_gatt_util.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS 5.5
CVE-2024-0040 NOMISEC HIGH STUB
Android - Heap-based Buffer Overflow in MtpPacket.cpp setParameter
In setParameter of MtpPacket.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS 7.5
CVE-2023-40167 NOMISEC MEDIUM WRITEUP
Jetty <9.4.52-12.0.1 - Info Disclosure
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CVSS 5.3
CVE-2023-40109 NOMISEC HIGH WORKING POC
Android - Local Privilege Escalation via UsbConfiguration Parcel Handling
In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
CVSS 7.8
CVE-2023-40133 NOMISEC MEDIUM WORKING POC
Android - Local Information Disclosure via Confused Deputy in DialogFillUi
In multiple locations of DialogFillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS 5.5
CVE-2023-28588 NOMISEC HIGH
Qualcomm Bluetooth Host - Denial of Service via RFC Slot Allocation
Transient DOS in Bluetooth Host while rfc slot allocation.
CVSS 7.5
CVE-2023-26049 NOMISEC LOW WRITEUP
Jetty <9.4.51 - Cookie Smuggling via Quoted Value Parsing
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
CVSS 2.4
CVE-2023-28588 NOMISEC HIGH NO CODE
Qualcomm Bluetooth Host - Denial of Service via RFC Slot Allocation
Transient DOS in Bluetooth Host while rfc slot allocation.
CVSS 7.5
CVE-2023-28588 NOMISEC HIGH NO CODE
Qualcomm Bluetooth Host - Denial of Service via RFC Slot Allocation
Transient DOS in Bluetooth Host while rfc slot allocation.
CVSS 7.5
CVE-2023-28588 NOMISEC HIGH NO CODE
Qualcomm Bluetooth Host - Denial of Service via RFC Slot Allocation
Transient DOS in Bluetooth Host while rfc slot allocation.
CVSS 7.5
CVE-2023-28588 NOMISEC HIGH WORKING POC
Qualcomm Bluetooth Host - Denial of Service via RFC Slot Allocation
Transient DOS in Bluetooth Host while rfc slot allocation.
CVSS 7.5
CVE-2023-33902 NOMISEC MEDIUM NO CODE
Bluetooth Service - Info Disclosure
In bluetooth service, there is a missing permission check. This could lead to local information disclosure with no additional execution privileges needed.
CVSS 5.5
CVE-2023-21097 NOMISEC HIGH WORKING POC
Android 11-13 - Local Privilege Escalation via Intent toUriInner Confused Deputy
In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261858325
CVSS 7.8
CVE-2021-28165 NOMISEC HIGH WRITEUP
Eclipse Jetty 7.2.2-9.4.38, 10.0.0.alpha0-10.0.1, 11.0.0.alpha0-11.0.1 - Denial of Service via Invalid TLS Frame
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
CVSS 7.5
CVE-2021-0392 NOMISEC HIGH WORKING POC
Android 9-11 - Double Free in main.cpp
In main of main.cpp, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-175124730
CVSS 7.8
CVE-2021-0466 NOMISEC HIGH WRITEUP
Android 10 - Remote Information Disclosure via ClientModeImpl Identifier Tracking
In startIpClient of ClientModeImpl.java, there is a possible identifier which could be used to track a device. This could lead to remote information disclosure to a proximal attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-154114734
CVSS 7.5