CVE-2020-22475

MEDIUM

Tasks <9.7.3 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-22475. PoCs published by Lyhin\'s Lab.

AI-analyzed exploit summary The exploit describes insecure IPC handling in Tasks 9.7.3, allowing any installed app to add arbitrary tasks via intents to ShareLinkActivity or VoiceCommandActivity. It provides Drozer commands to demonstrate the vulnerability but lacks functional exploit code.

Description

"Tasks" application version before 9.7.3 is affected by insecure permissions. The VoiceCommandActivity application component allows arbitrary applications on a device to add tasks with no restrictions.

Exploits (1)

exploitdb WRITEUP

by Lyhin\'s Lab · textlocalandroid

https://www.exploit-db.com/exploits/49563

View Code ZIP pw:eip

The exploit describes insecure IPC handling in Tasks 9.7.3, allowing any installed app to add arbitrary tasks via intents to ShareLinkActivity or VoiceCommandActivity. It provides Drozer commands to demonstrate the vulnerability but lacks functional exploit code.

Classification

Writeup 90%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Tasks 9.7.3

No auth needed

Prerequisites: Victim must have Tasks 9.7.3 installed · Attacker must have a malicious app installed on the victim's device

MITRE ATT&CK

T1566.002 - Spearphishing Link

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Patch, Third Party Advisory x_refsource_misc

https://lyhinslab.org/index.php/2020/07/18/how-the-white-box-hacking-works-ok-google-i-wanna-pwn-this-app/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49563

Scores

CVSS v3 6.8

EPSS 0.0046

EPSS Percentile 36.4%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-276

Status published

Products (1)

tasks/tasks < 9.7.3

Published Feb 22, 2021

Tracked Since Feb 18, 2026