Samsung Security Vulnerabilities
Improper access control vulnerability in BixbyTouch prior to version 2.2.00.6 in China models allows untrusted applications to load arbitrary URL and local files in webview.
4CVSS
4.2AI Score
0.0004EPSS
Information Exposure vulnerability in Galaxy S3 Plugin prior to version 2.2.03.22012751 allows attacker to access password information of connected WiFiAp in the log
3.3CVSS
4.1AI Score
0.0004EPSS
Information Exposure vulnerability in Galaxy Watch Plugin prior to version 2.2.05.22012751 allows attacker to access password information of connected WiFiAp in the log
3.3CVSS
4.1AI Score
0.0004EPSS
Information Exposure vulnerability in Watch Active Plugin prior to version 2.2.07.22012751 allows attacker to access password information of connected WiFiAp in the log
3.3CVSS
4.1AI Score
0.0004EPSS
Information Exposure vulnerability in Watch Active2 Plugin prior to version 2.2.08.22012751 allows attacker to access password information of connected WiFiAp in the log
3.3CVSS
4.1AI Score
0.0004EPSS
Information Exposure vulnerability in Galaxy Watch3 Plugin prior to version 2.2.09.22012751 allows attacker to access password information of connected WiFiAp in the log
3.3CVSS
4.1AI Score
0.0004EPSS
A vulnerability using PendingIntent in Accessibility prior to version 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0) allows attacker to access the file with system privilege.
7.8CVSS
7.4AI Score
0.001EPSS
Improper access control vulnerability in FactoryCamera prior to version 2.1.96 allows attacker to access the file with system privilege.
7.8CVSS
7.5AI Score
0.0004EPSS
Improper authentication vulnerability in SecretMode in Samsung Internet prior to version 16.2.1 allows attackers to access bookmark tab without proper credentials.
4CVSS
4.5AI Score
0.0005EPSS
Improper access control vulnerability in SamsungRecovery prior to version 8.1.43.0 allows local attckers to delete arbitrary files as SamsungRecovery permission.
4.4CVSS
4.7AI Score
0.0004EPSS
Improper exception handling in Samsung Pass prior to version 3.7.07.5 allows physical attacker to view the screen that is previously running without authentication
4.3CVSS
4.5AI Score
0.001EPSS
DLL hijacking vulnerability in Smart Switch PC prior to version 4.2.22022_4 allows attacker to execute abitrary code.
7.8CVSS
7.6AI Score
0.001EPSS
DLL hijacking vulnerability in Kies prior to version 2.6.4.22014_2 allows attacker to execute abitrary code.
7.8CVSS
7.6AI Score
0.001EPSS
Uncontrolled search path element vulnerability in Samsung Update prior to version 3.0.77.0 allows attackers to execute arbitrary code as Samsung Update permission.
7.8CVSS
7.9AI Score
0.0004EPSS
Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission.
6.8CVSS
5.3AI Score
0.0004EPSS
Path traversal vulnerability in Samsung Flow prior to version 4.8.07.4 allows local attackers to read arbitrary files as Samsung Flow permission.
5.5CVSS
5.3AI Score
0.0004EPSS
Path traversal vulnerability in unzip method of InstallAgentCommonHelper in Galaxy store prior to version 4.5.40.5 allows attacker to access the file of Galaxy store.
6.2CVSS
5.4AI Score
0.0004EPSS
Improper access control vulnerability in Samsung Flow prior to version 4.8.06.5 allows attacker to write the file without Samsung Flow permission.
5.1CVSS
4.1AI Score
0.0004EPSS
Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user interactions.
7.8CVSS
7.5AI Score
0.0004EPSS
Improper access control vulnerability in Samsung Members prior to version 13.6.08.5 allows local attacker to execute call function without CALL_PHONE permission.
4.3CVSS
4.2AI Score
0.0004EPSS
Improper access control vulnerability in Samsung Security Supporter prior to version 1.2.40.0 allows attacker to set the arbitrary folder as Secret Folder without Samsung Security Supporter permission
4.4CVSS
4.2AI Score
0.0004EPSS
Uncontrolled search path element vulnerability in Samsung Android USB Driver windows installer program prior to version 1.7.50 allows attacker to execute arbitrary code.
7.8CVSS
7.7AI Score
0.0004EPSS
Unprotected activities in Voice Note prior to version 21.3.51.11 allows attackers to record voice without user interaction. The patch adds proper permission for vulnerable activities.
6.2CVSS
5.5AI Score
0.0004EPSS
Improper authentication in Link to Windows Service prior to version 2.3.04.1 allows attacker to lock the device. The patch adds proper caller signature check logic.
4CVSS
4.3AI Score
0.0004EPSS
Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. The patch adds proper protection to prevent overwrite to existing files.
6.2CVSS
5.4AI Score
0.0004EPSS
DLL hijacking vulnerability in Gear IconX PC Manager prior to version 2.1.220405.51 allows attacker to execute arbitrary code. The patch adds proper absolute path to prevent dll hijacking.
7.8CVSS
7.8AI Score
0.001EPSS
Given the TEE is compromised and controlled by the attacker, improper state maintenance in StrongBox allows attackers to change Android ROT during device boot cycle after compromising TEE. The patch is applied in Galaxy S22 to prevent change of Android ROT after first initialization at boot time.
4.4CVSS
4.8AI Score
0.0004EPSS
Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication.
4.6CVSS
4.5AI Score
0.001EPSS
Improper access control vulnerability in My Files prior to version 13.1.00.193 allows attackers to access arbitrary private files in My Files application.
5.5CVSS
5.5AI Score
0.0004EPSS
Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.
7.5CVSS
7.2AI Score
0.001EPSS
Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.
5.3CVSS
5.1AI Score
0.001EPSS
Sensitive information exposure in Sign-out log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.
5.3CVSS
5.1AI Score
0.001EPSS
Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the access_token without permission.
7.5CVSS
7.5AI Score
0.001EPSS
Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the data of contact and gallery without permission.
5.3CVSS
5.2AI Score
0.001EPSS
Implicit Intent hijacking vulnerability in Samsung Account prior to version 13.2.00.6 allows attackers to get email ID.
5.3CVSS
5.2AI Score
0.001EPSS
Improper check in Loader in Samsung Internet prior to 17.0.1.69 allows attackers to spoof address bar via executing script.
4.3CVSS
4.5AI Score
0.001EPSS
Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get an user email or phone number with a normal level permission.
4.3CVSS
4.6AI Score
0.0005EPSS
Improper auto-fill algorithm in Samsung Internet prior to version 17.0.1.69 allows physical attackers to guess stored credit card numbers.
4.3CVSS
4.3AI Score
0.0004EPSS
Sensitive information exposure vulnerability in SimChangeAlertManger of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permission to get sim card information through device log.
3.3CVSS
3.7AI Score
0.0004EPSS
Sensitive information exposure vulnerability in FmmExtraOperation of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permissio to get sim card information through device log.
3.3CVSS
3.8AI Score
0.0004EPSS
Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the data of contact and gallery without permission.
5.3CVSS
5.2AI Score
0.001EPSS
DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1 allows attacker to execute arbitrary code.
7.8CVSS
7.8AI Score
0.001EPSS
Improper access control vulnerability in Quick Share prior to version 13.1.2.4 allows attacker to access internal files in Quick Share.
5.5CVSS
5.4AI Score
0.0004EPSS
Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.
7.5CVSS
7.3AI Score
0.001EPSS
PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.
5.5CVSS
5.3AI Score
0.0004EPSS
Unprotected dynamic receiver in Samsung Members prior to version 4.2.005 allows attacker to launch arbitrary activity.
5.5CVSS
5.5AI Score
0.0004EPSS
Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity.
7.8CVSS
7.5AI Score
0.0004EPSS
Information exposure in Calendar prior to version 12.3.05.10000 allows attacker to access calendar schedule without READ_CALENDAR permission.
3.3CVSS
4AI Score
0.0004EPSS
Improper access control vulnerability in Samsung Gallery prior to version 13.1.05.8 allows physical attackers to access the pictures using S Pen air gesture.
2.4CVSS
3.7AI Score
0.0005EPSS
Improper identifier creation logic in Find My Mobile prior to version 7.2.24.12 allows attacker to identify the device.
5.3CVSS
5.2AI Score
0.001EPSS