CVE-2023-25647 - OpenCVE

There is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could monitor the touch event.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zte	Axon 30 Axon 30 Firmware Axon 40 Pro Axon 40 Pro Firmware Axon 40 Ultra Axon 40 Ultra Firmware Nubia Z50 Nubia Z50 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:zte:axon_30:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:axon_30_firmware:*:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:h:zte:axon_40_pro:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:axon_40_pro_firmware:*:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:h:zte:axon_40_ultra:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:axon_40_ultra_firmware:*:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:h:zte:nubia_z50:-:*:*:*:*:*:*:*

cpe:2.3:o:zte:nubia_z50_firmware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264

History

No history.

MITRE

Status: PUBLISHED

Assigner: zte

Published: 2023-08-17T02:13:19.932Z

Updated: 2024-08-02T11:25:19.245Z

Reserved: 2023-02-09T19:47:48.022Z

Link: CVE-2023-25647

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-17T03:15:09.003

Modified: 2023-08-24T16:20:12.140

Link: CVE-2023-25647

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25647", "assignerOrgId": "6786b568-6808-4982-b61f-398b0d9679eb", "state": "PUBLISHED", "assignerShortName": "zte", "dateReserved": "2023-02-09T19:47:48.022Z", "datePublished": "2023-08-17T02:13:19.932Z", "dateUpdated": "2024-08-02T11:25:19.245Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Android"], "product": "Some ZTE Mobile Phones", "vendor": "ZTE", "versions": [{"lessThanOrEqual": "V1.0.0B07", "status": "affected", "version": "NON_EEA_P870F21V1.0.0B01", "versionType": "V1.0.0B07"}, {"lessThanOrEqual": "V1.0.0B18MR", "status": "affected", "version": " GEN_ZTE_PQ82A01V1.0.0B01MR", "versionType": "V1.0.0B18MR"}, {"lessThanOrEqual": "V3.0.0B05", "status": "affected", "version": "GEN_ZTE_P870A01V3.0.0B01", "versionType": "V3.0.0B05"}, {"lessThanOrEqual": "V2.0.0B16", "status": "affected", "version": "GEN_ZTE_P898A01V2.0.0B01", "versionType": "V2.0.0B16"}]}], "datePublic": "2023-07-27T02:10:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\n<span style=\"background-color: rgb(255, 255, 255);\">T</span><span style=\"background-color: rgb(255, 255, 255);\">here is a permission and access control vulnerability in some ZTE mobile phones. Due to </span><span style=\"background-color: rgb(255, 255, 255);\">improper access control</span><span style=\"background-color: rgb(255, 255, 255);\">, </span><span style=\"background-color: rgb(255, 255, 255);\">applications in mobile phone c</span><span style=\"background-color: rgb(255, 255, 255);\">ould</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><span style=\"background-color: rgb(255, 255, 255);\">monitor</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><span style=\"background-color: rgb(255, 255, 255);\">the touch</span><span style=\"background-color: rgb(255, 255, 255);\"> event.</span>\n\n\n\n"}], "value": "\n\n\nThere is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could\u00a0monitor\u00a0the touch\u00a0event.\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-554", "descriptions": [{"lang": "en", "value": "CAPEC-554 Functionality Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6786b568-6808-4982-b61f-398b0d9679eb", "shortName": "zte", "dateUpdated": "2023-08-30T00:56:20.949Z"}, "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264"}], "source": {"discovery": "EXTERNAL"}, "title": "Permission and Access Control Vulnerability in Some ZTE Mobile Phones", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:25:19.245Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:zte:axon_30:-:*:*:*:*:*:*:*", "matchCriteriaId": "F2F14440-A165-43E7-BDA7-EC4C9C95123E", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:zte:axon_30_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B7C570B-450A-46EF-BE44-C9080D843A58", "versionEndExcluding": "3.0.0b06", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:zte:axon_40_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "3A9FA4EE-82AA-4C53-A084-7B7286361253", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:zte:axon_40_pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6BE9D395-28E9-4618-90AC-389D57EFC0BE", "versionEndExcluding": "1.0.0b16", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:zte:axon_40_ultra:-:*:*:*:*:*:*:*", "matchCriteriaId": "3C9F41AC-BCE6-416B-B11F-D86769525F9D", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:zte:axon_40_ultra_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D7BB985-80B3-49A2-8AE4-6077CB394328", "versionEndExcluding": "2.0.0b17", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:zte:nubia_z50:-:*:*:*:*:*:*:*", "matchCriteriaId": "34767307-B629-4BE7-8530-F604BF5BF459", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:zte:nubia_z50_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "5372F382-E1BF-4446-A2FE-679951C97FA1", "versionEndExcluding": "1.0.0b19mr", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\n\n\nThere is a permission and access control vulnerability in some ZTE mobile phones. Due to improper access control, applications in mobile phone could\u00a0monitor\u00a0the touch\u00a0event.\n\n\n\n"}], "id": "CVE-2023-25647", "lastModified": "2023-08-24T16:20:12.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "psirt@zte.com.cn", "type": "Secondary"}]}, "published": "2023-08-17T03:15:09.003", "references": [{"source": "psirt@zte.com.cn", "tags": ["Vendor Advisory"], "url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032264"}], "sourceIdentifier": "psirt@zte.com.cn", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "psirt@zte.com.cn", "type": "Secondary"}]}