CVE-2023-43481

CRITICAL

Shenzhen TCL Browser TV Web BrowseHere <6.65.022 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43481. PoCs published by actuator.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2023-43481, demonstrating remote code execution in the TCL Browser app via an exported activity component. The PoC includes ADB commands and JavaScript injection techniques to extract sensitive data like passwords and session cookies.

Description

An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component.

Exploits (1)

nomisec WORKING POC 1 stars
by actuator · poc
https://github.com/actuator/com.tcl.browser

This repository contains a functional proof-of-concept for CVE-2023-43481, demonstrating remote code execution in the TCL Browser app via an exported activity component. The PoC includes ADB commands and JavaScript injection techniques to extract sensitive data like passwords and session cookies.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: com.tcl.browser version 6.65.022_dab24cc6_231221_gp
No auth needed
Prerequisites: Android device with TCL Browser installed · ADB access or a malicious app to invoke the exported activity
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.8
EPSS 0.0106
EPSS Percentile 60.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
tcl/browser_tv_web_-_browsehere 6.65.022_dab24cc6_231221_gp
Published Dec 27, 2023
Tracked Since Feb 18, 2026