Arbitrary File Reads/Writes via Missing Permission in Pre-Installed Apps
CVE-2023-38295

7.8HIGH

Key Information:

Vendor: TCL
Vendor: CVE Published:; 22 April 2024

What is CVE-2023-38295?

Certain software builds for TCL 30Z and TCL 10 Android devices include vulnerable pre-installed applications that lack essential permissions, allowing third-party apps to gain unauthorized access to system-level functionalities. Specifically, the vulnerability arises from the missing permission, com.tct.smart.switchphone.permission.SWITCH_DATA, which enables malicious applications to interact with system-level service components and perform arbitrary file reads and writes without user intervention. This risk is particularly evident in the versions of the pre-installed screen recording application on the TCL 30Z and the SOS application on the TCL 10L, both of which are susceptible to exploitation in this manner. The vulnerability has been confirmed on various builds, exposing users of these devices to potential loss of privacy and data integrity.

References

https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2024
Vulnerability Reserved
Jul 14, 2023

CVE-2023-38295 Data

JSON