CVE-2023-43955

CRITICAL

TV Bro <2.0.0 - RCE

Title source: llm

Description

The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView. This allows attackers to execute arbitrary code, create arbitrary files. and perform arbitrary downloads via JavaScript that uses takeBlobDownloadData.

Exploits (1)

nomisec WRITEUP 1 stars

by actuator · poc

https://github.com/actuator/com.phlox.tvwebbrowser

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://github.com/actuator/com.phlox.tvwebbrowser

[Exploit, Third Party Advisory] https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/CWE-94.md

[Exploit, Third Party Advisory] https://github.com/actuator/com.phlox.tvwebbrowser/blob/main/poc.apk

[Issue Tracking] https://github.com/truefedex/tv-bro/pull/182#issue-1901769895

Scores

CVSS v3 9.8

EPSS 0.0057

EPSS Percentile 68.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (1)

fedirtsapana/tv_bro < 2.0.0

Published Dec 27, 2023

Tracked Since Feb 18, 2026