CVE-2013-6272

HIGH

Google Android 4.1.1-4.4.2 - Unauthenticated Phone Call and USSD Code Execution via NotificationBroadcastReceiver

Title source: llm
STIX 2.1

Description

The NotificationBroadcastReceiver class in the com.android.phone process in Google Android 4.1.1 through 4.4.2 allows attackers to bypass intended access restrictions and consequently make phone calls to arbitrary numbers, send mmi or ussd codes, or hangup ongoing calls via a crafted application.

References (5)

Core 5
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Jul/13
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/94423
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/127359/Android-OS-Authorization-Missing.html
Exploit, Third Party Advisory x_refsource_misc
https://curesec.com/blog/article/blog/35.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/68415

Scores

CVSS v3 7.8
EPSS 0.0149
EPSS Percentile 71.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-284
Status published
Products (1)
google/android 4.1.1 - 4.4.2
Published May 02, 2018
Tracked Since Feb 18, 2026