cbcvebase.
CVE-2015-7893
published 2017-04-11

CVE-2015-7893: SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, allows remote attackers to execute arbitrary JavaScript.

PriorityP258high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
7.38%
93.6th percentile
SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, allows remote attackers to execute arbitrary JavaScript.

Detection & IOCsextracted from sources · hover to see the quote

commandtry { document.write(document.location); } catch(e) { document.write(e.message); }
othercom.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND
urlemail://M/N
  • Look for HTML emails containing inline <script> tags or JavaScript event handlers being rendered inside a WebView by SecEmailUI.apk on Samsung Galaxy S6 devices.
  • Monitor for the Android intent com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND being invoked with attacker-controlled HTML payloads, which can trigger script execution in the email composer context.
  • Alert on JavaScript accessing document.location within the Samsung email WebView context; successful exploitation produces a URL of the form email://M/N confirming script execution.
  • Watch for outbound HTTP POST requests from the Samsung email application process that may indicate exfiltration of email content via injected JavaScript.
  • ·The WebView's access to local files and other emails was not fully confirmed by the researcher; the full attack surface depends on the WebView configuration in SecEmailUI.apk.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.