CVE-2024-23729

MEDIUM

ColorOS Internet Browser 45.10.3.4.1 - Remote Code Execution via RealBrowserActivity Component

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-23729. PoCs published by actuator.

AI-analyzed exploit summary The repository contains a functional PoC for CVE-2024-23729, demonstrating arbitrary JavaScript execution in the `com.heytap.browser` Android app via an exported activity component without requiring permissions.

Description

The ColorOS Internet Browser com.heytap.browser application 45.10.3.4.1 for Android allows a remote attacker to execute arbitrary JavaScript code via the com.android.browser.RealBrowserActivity component.

Exploits (1)

nomisec WORKING POC 8 stars

by actuator · poc

https://github.com/actuator/com.heytap.browser

View Code ZIP pw:eip

The repository contains a functional PoC for CVE-2024-23729, demonstrating arbitrary JavaScript execution in the `com.heytap.browser` Android app via an exported activity component without requiring permissions.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: com.heytap.browser version 45.10.3.4.1

No auth needed

Prerequisites: Android device with vulnerable `com.heytap.browser` installed

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Vendor Advisory

https://github.com/actuator/com.heytap.browser

Product

https://play.google.com/store/apps/details?id=com.heytap.browser

Scores

CVSS v3 6.1

EPSS 0.0040

EPSS Percentile 31.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

heytap/internet_browser 45.10.3.4.1

Published Aug 19, 2024

Tracked Since Feb 18, 2026