Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

**Zoom Mobile App for Android, Zoom Mobile App for iOS and Zoom SDKs - Cryptographic Issues**

*   Bulletin: ZSB-23056
*   CVEID: CVE-2023-43583
*   CVSS Severity: Medium
*   CVSS Score: 4.9
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description:

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Mobile App for Android before version 5.16.0
*   Zoom Mobile App for iOS before version 5.16.0
*   Zoom Video SDK for Android before version 5.16.0
*   Zoom Video SDK for iOS before version 5.16.0
*   Zoom Meeting SDK for Android before version 5.16.0
*   Zoom Meeting SDK for iOS before version 5.16.0

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-43583: ZSB 23056

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

**Zoom Clients - Improper Authentication**

*   Bulletin: ZSB-23062
*   CVEID: CVE-2023-49646
*   CVSS Severity: Medium
*   CVSS Score: 5.4
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description:

 Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Desktop Client for Windows before version 5.16.5
*   Zoom Desktop Client for macOS before version 5.16.5
*   Zoom Mobile App for iOS before version 5.16.5
*   Zoom Mobile App for Android before version 5.16.5
*   Zoom Desktop Client for Linux before version 5.16.5
*   Zoom VDI Client before version 5.16.5 (excluding 5.14.14 and 5.15.12)
*   Zoom SDKs before version 5.16.5

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-49646: ZSB 23062

By Deeba Ahmed
Hidden Code, Hidden Profits - Tracked Before You Click - SDBN Takes Adobe to Court Over Alleged Illegal Tracking of Dutch Cizitens.
This is a post from HackRead.com Read the original post: Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Dutch privacy watchdog SDBN alleges that Adobe is spying on and collecting data from ‘virtually every Dutch internet user’ through the illegal placement of tracking cookies.

Dutch privacy watchdog Stichting Data Bescherming Nederland (**SDBN**) is suing Adobe for illegally tracking and sharing the personal data of millions of Dutch citizens.

For your information, SDBN is a Netherlands-based non-profit foundation striving to safeguard users’ privacy and data protection. Apart from Adobe, the organization is also actively pursuing lawsuits against Amazon and X (formerly Twitter).

Adobe, a United States-based design software company known for its creativity and multimedia software products, is accused of secretly collecting vast amounts of data from users visiting prominent websites and apps, including Dutch telecommunications company KPN, Stichting Pensioenfonds ABP (National Civil Pension Fund), and the Dutch Tax Authority.

According to SDBN, the collected data is then shared with multiple third parties without obtaining user consent. Moreover, the company allegedly used tactics like hidden tracking cookies and app SDKs to collect data.

In a press release that the organization shared with Hackread.com, users are kept in the dark about their digital footprints, and sometimes Adobe plants cookies before they can say no. These profiles are shared with other companies for targeted advertising.

This practice violates the General Data Protection Regulation (**GDPR**), putting users at risk of data exposure, identity fraud, and other privacy concerns. SDBN claims that Adobe is snooping on nearly every Dutch citizen, even those who have never used Adobe products.

> _“Via websites and apps, Adobe itself illegally collects an enormous amount of data on virtually every Dutch internet user, irrespective of whether they have ever used an Adobe product”._
> 
> SDBN

It warns that this data trade is not risk-free and could expose sensitive information and identity. They are taking Adobe to court, demanding an end to the covert tracking and compensation for millions of affected Dutch citizens.

Adobe profited financially from this unlawful data collection. Hence, SDBN filed a class action lawsuit demanding Adobe to cease illegal data collection, destroy all the illegally collected data, and disclose all parties with whom data has been shared. The lawsuit aims to stop tracking cookies on popular websites and hidden code in apps like Marktplaats and Buienradar. 

SDBN also demands justice for an estimated seven million Dutch citizens whose data was shared, demanding Adobe to remove every illegally collected data and give impacted users compensation for the privacy invasion. 

Dutch internet users can join the fight by signing up for a free mass claim on SDBN’s website. If a Dutch internet user has visited the aforementioned websites or used the listed apps, they may be eligible to join the lawsuit and claim compensation.

SDBN’s chairperson Anouk Ruhaak, stated that the design software vendor’s involvement in mass data collection and trading is surprising.

“While Adobe is primarily recognized as a design software supplier, what’s surprising is its simultaneous involvement in the digital personal data market – tracking your online activities. Have you made online Christmas purchases? Well, Adobe likely has a detailed record of what you browsed and where you bought your Christmas stockings or perfume.”

SDBN also shared a list of websites and apps which it claims are used by Adobe to track users. These included the following sites:

*   Abp.nl
*   Albelli.nl
*   Bruna.nl
*   Douglas.nl
*   Expedia.nl
*   Gamma.nl
*   Karwei.nl
*   ketnet.be
*   Kijk.nl
*   Kpn.com
*   Kwf.nl
*   Tui.nl
*   Unibet.nl
*   Unive.nl
*   Wsj.com
*   Footlocker.nl
*   Hallmark.com
*   Beterhoren.nl
*   Belastingdienst.nl

****Examples of mobile apps (iOS and Android) that allegedly contain Adobe tracking software include:****

*   Asos
*   RTL XL
*   MijnKPN
*   Ziggo GO
*   Buienradar
*   Marktplaats
*   PlayStation
*   TomTom Go Navigation
*   Essent Verbruiksmanager

****_RELATED ARTICLES_****

1.  **Canada Bans WeChat and Kaspersky Due to Spying Concerns**
2.  **Google Facing Lawsuit Over Tracking Users in Incognito Mode**
3.  **$4 billion lawsuit claims Google tracked iPhone users’ activities**
4.  **Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews**
5.  **Authors Sue OpenAI: ChatGPT’s Training Methods Challenged in Lawsuit**

Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.

The AMD vulnerability sounds like something from back in the eighties:

> “A division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.”

And AMD’s mitigation advice basically boils down to “so don’t divide by zero,” which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.

The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.”

MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target’s machine.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address multiple vulnerabilities in Adobe software.

*   Adobe Prelude
*   Adobe Illustrator
*   Adobe InDesign
*   Adobe Dimension
*   Adobe Experience Manager
*   Adobe Substance3D Stager
*   Adobe Substance3D Sampler
*   Adobe Substance3D After Effects
*   Adobe Substance3D Designer

**Android**: Google released the Android December 2023 security updates with a fix for a critical zero-day.

**Apache** released security updates to address a vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.

**Apple** issued emergency updates including patches for older iOS devices concerning two actively used zero-day vulnerabilities.

**SAP** released its December 2023 Patch Day updates.

**WordPress** released version 6.4.2 that addresses a remote code execution (RCE) vulnerability.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft patches 34 vulnerabilities, including one zero-day 

Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities.
This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer (UBSan), a tool designed to catch various kinds of

Mobile Communication / Firmware security

Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities.

This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer (UBSan), a tool designed to catch various kinds of undefined behavior during program execution.

"They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities," Ivan Lozano and Roger Piqueras Jover said in a Tuesday post.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The development comes months after the tech giant said it's working with ecosystem partners to increase the security of firmware that interacts with Android, thereby making it difficult for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband.

IntSan and BoundSan are two of the compiler-based sanitizers that Google has enabled as an exploit mitigation measure to detect arithmetic overflows and perform bounds checks around array accesses, respectively.

Google acknowledged that while both BoundSan and IntSan incur a substantial performance overhead, it has enabled it in security-critical attack surfaces ahead of a full-fledged rollout over the entire codebase. This covers -

*   Functions parsing messages delivered over the air in 2G, 3G, 4G, and 5G
*   Libraries encoding/decoding complex formats (e.g., ASN.1, XML, DNS, etc.)
*   IMS, TCP, and IP stacks, and
*   Messaging functions (SMS, MMS)

"In the particular case of 2G, the best strategy is to disable the stack altogether by supporting Android's '2G toggle,'" the researchers said. "However, 2G is still a necessary mobile access technology in certain parts of the world and some users might need to have this legacy protocol enabled."

It's worth noting that the "tangible" benefits arising out of deploying sanitizers notwithstanding, they do not address other classes of vulnerabilities, such as those related to memory safety, necessitating a transition of the codebase to a memory-safe language like Rust.

In early October 2023, Google announced that it had rewritten the Android Virtualization Framework's (AVF) protected VM (pVM) firmware in Rust to provide a memory-safe foundation for the pVM root of trust.

"As the high-level operating system becomes a more difficult target for attackers to successfully exploit, we expect that lower level components such as the baseband will attract more attention," the researchers concluded.

"By using modern toolchains and deploying exploit mitigation technologies, the bar for attacking the baseband can be raised as well."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.
Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch

Patch Tuesday / Windows Security

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.

Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.

According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.

While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -

*   **CVE-2023-35628** (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
*   **CVE-2023-35630** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35636** (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
*   **CVE-2023-35639** (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
*   **CVE-2023-35641** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35642** (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
*   **CVE-2023-36019** (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim," Microsoft said in an advisory.

Microsoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -

*   **CVE-2023-35638** (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
*   **CVE-2023-35643** (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
*   **CVE-2023-36012** (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability

The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise," Ori David said in a report last week. "The attacks don't require any credentials, and work with the default configuration of Microsoft DHCP server."

The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.

Microsoft, in response to the findings, said the "problems are either by design, or not severe enough to receive a fix," necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.

**Software Patches from Other Vendors**

Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Android
*   Apache Projects (including Apache Struts)
*   Apple
*   Arm
*   Atlassian
*   Atos
*   Cisco
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Google Chromecast
*   Google Cloud
*   Google Wear OS
*   Hikvision
*   Hitachi Energy
*   HP
*   IBM
*   Jenkins
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek (including 5Ghoul)
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Qualcomm (including 5Ghoul)
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Sophos (backports a fix for CVE-2022-3236 to unsupported versions of the Sophos Firewall)
*   Spring Framework
*   Veritas
*   VMware
*   WordPress
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical

By Waqas
Another day, another gaming giant claimed by a ransomware group.
This is a post from HackRead.com Read the original post: Spider-Man Developer Insomniac Games Hit by Rhysida Ransomware

Rhysida ransomware, an emerging variant since May 2023, is demanding a ransom of 50 Bitcoins, equivalent to approximately $2 million at the time of writing.

Spider-Man and Spider-Man 2 developer Insomniac Games has apparently been hit by a ransomware attack perpetrated by the group Rhysida. This gang is currently auctioning off alleged stolen data for a starting price of $2 million in Bitcoin.

While the Rhysida ransomware gang claims the data is “exclusive, unique, and impressive,” details regarding its specific contents and volume remain unclear. “Low-quality screenshots,” shared by the group, appear to show confidential internal emails, passport copies, personal ID cards, and images related to game assets or gameplay.

The cybercrime gang is currently offering the Burbank, California-based Insomniac a week to respond to their demands before releasing the stolen data to the highest bidder. Notably, the group only accepts Bitcoin for ransomware payments, with their current asking price exceeding US$40,000. The initial bid for the stolen data stands at 50 Bitcoin (approximately $2 million).

“With just seven days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data. Open your wallets and be ready to buy exclusive data. We sell only to one hand , no reselling, you will be the only owner,” Rhysida posted on their Dark Web blog site.

This short deadline is a tactic commonly used by ransomware actors to pressure companies into paying the ransom demand. 

Rhysida, a relatively new player on the cybercrime scene, first emerged in May 2023. The US Cybersecurity and Infrastructure Security Agency (CISA) classifies it as a threat actor targeting “targets of opportunity” across various sectors, including education, healthcare, manufacturing, information technology, and government.

This notorious threat the group has targeted nearly 50 organizations over the past 12 months, including the Chilean government and the Prospect Medical Group. The group operates a profit-based ransomware-as-a-service (RaaS) and is believed to have connections to Vice Society, a group known for its attacks on education in the US, Canada, and the UK. 

The data exposed in the Rhysida ransomware attack on Insomniac Games extends beyond game assets and confidential emails, including highly sensitive personal information like passport scans of current/former employees, private details about actor Yuri Lowenthal, the voice of Peter Parker in Insomniac’s Spider-Man games.

Screenshot from the dark web auction site of the Rhysida Ransomware group (Credit: Hackread.com)

This is precisely the data any company would strive to keep confidential under any circumstances. As witnessed with the recent Medibank leak, releasing a limited sample of stolen data is a standard practice for these groups to demonstrate their access and leverage their demands.

PlayStation Studios, Insomniac’s owner, is yet to respond to this incident. Hackread.com will update this post when the company releases an official statement.

****_RELATED ARTICLES_****

1.  **Online gaming and protection against cyber attacks**
2.  **Fake Cyberpunk 2077 Android App Delivering Ransomware**
3.  **Gaming controllers manufacturer exposed 1.1M customer records**
4.  **ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee**
5.  **Capcom ransomware attack: Gaming details leaked; no ransom paid**

Spider-Man Developer Insomniac Games Hit by Rhysida Ransomware

Apple has issued emergency updates that include patches for older iOS devices concerning two actively used zero-days that were patched for iOS 17 last week

Apple has issued emergency updates that include patches for older iOS devices concerning the two actively used zero-day vulnerabilities that were patched last week in newer devices.

Updates are available for:

Safari 17.2

macOS Monterey and macOS Ventura

iOS 17.2 and iPadOS 17.2

iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.3 and iPadOS 16.7.3

iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

macOS Sonoma 14.2

macOS Sonoma

macOS Ventura 13.6.3

macOS Ventura

macOS Monterey 12.7.2

macOS Monterey

tvOS 17.2

Apple TV HD and Apple TV 4K (all models)

watchOS 10.2

Apple Watch Series 4 and later

The updates may already have reached you if you automatically update, but it doesn’t hurt to check if your device is at the latest update level.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

Owners of devices running iOS 16.7 and iPad iOS 16.7 are especially encouraged to update as soon as possible, since the fixed issues may have been exploited against versions of iOS before iOS 16.7.1.

Apple doesn’t disclose, discuss, or confirm details about security issues until an investigation has occurred and patches or releases are available. But both vulnerabilities were credited to Clément Lecigne of Google’s Threat Analysis Group (TAG). 

Recently we saw an update for the Chrome browser which included a patch for an actively exploited zero-day vulnerability. That vulnerability was reported by TAG’s Benoît Sevens and the formerly mentioned Clément Lecigne. These Google TAG researchers are renowned for finding and disclosing zero-day vulnerabilities used in state-sponsored spyware attacks.

**We don’t just report on Android and iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Android devices by downloading Malwarebytes for Android today. And keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Update now! Apple issues patches for older iPhones and other devices 

Workspace ONE Launcher contains a Privilege Escalation Vulnerability. A malicious actor with physical access to Workspace ONE Launcher could utilize the Edge Panel feature to bypass setup to gain access to sensitive information.

Advisory ID: VMSA-2023-0027

CVSSv3 Range: 6.3

Issue Date: 2023-12-12

Updated On: 2023-12-12 (Initial Advisory)

CVE(s): CVE-2023-34064

Synopsis: VMware Workspace ONE Launcher updates addresses privilege escalation vulnerability. (CVE-2023-34064)

****1\. Impacted Products****

*   VMware Workspace ONE Launcher
    

****2\. Introduction****

A privilege escalation vulnerability in VMware Workspace ONE Launch was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

****3\. Privilege Escalation Vulnerability****

Workspace ONE Launcher contains a Privilege Escalation Vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.3.

A malicious actor with physical access to Workspace ONE Launcher could utilize the Edge Panel feature to bypass setup to gain access to sensitive information.

To remediate CVE-2023-34064 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

VMware would like to thank Bartek Pszczola of Defendable for reporting this issue to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Workspace ONE Launcher

23.x

Android

CVE-2023-34064

6.3

moderate

23.11

N/A

None

VMware Workspace ONE Launcher

22.x

Android

CVE-2023-34064

6.3

moderate

23.11

N/A

None

****4\. References****

****5\. Change Log****

**2023-12-12 VMSA-2023-0027**

Initial security advisory.

****6\. Contact****

CVE-2023-34064: VMSA-2023-0027

Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.



Tag

#android