CVE-2023-23299

HIGH

Garmin Connect-iq < 4.1.7 - Incorrect Authorization

Title source: rule

Description

The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others.

References (2)

Core 2

Core References

Product

https://developer.garmin.com/connect-iq/core-topics/manifest-and-permissions/

Exploit

https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23299.md

View Exploit ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0014

EPSS Percentile 33.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

garmin/connect-iq 1.0.0 - 4.1.7

Published May 23, 2023

Tracked Since Feb 18, 2026