Lucene search

MitreCVE-2023-42471

HistorySep 11, 2023 - 8:15 a.m.

CVE-2023-42471

2023-09-1108:15:07

CWE-94

mitre

web.nvd.nist.gov

cve-2023-42471

wave.ai.browser

android

javascript

security vulnerability

nvd

remote code execution

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.01

Percentile

83.8%

JSON

The wave.ai.browser application through 1.0.35 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. It contains a manifest entry that exports the wave.ai.browser.ui.splash.SplashScreen activity. This activity uses a WebView component to display web content and doesn’t adequately validate or sanitize the URI or any extra data passed in the intent by a third party application (with no permissions).

Affected configurations

Nvd

Node

wave-aiwaveRange≤1.0.35android

VendorProductVersionCPE
wave-aiwave*cpe:2.3:a:wave-ai:wave:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
wave-ai	wave	*	cpe:2.3:a:wave-ai:wave::::::android::*

References

github.com/actuator/cve/blob/main/CVE-2023-42471

github.com/actuator/wave.ai.browser/blob/main/CWE-94.md

github.com/actuator/wave.ai.browser/blob/main/poc.apk

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.01

Percentile

83.8%

JSON

Related for CVE-2023-42471