CVE-2018-9458UI Misrepresentation / Clickjacking in INC Android

CWE-1021UI Misrepresentation / Clickjacking4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 79.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Google INC AndroidGoogle Android
Timeline
PublishedNov 6
Latest updateMay 13

Description

In computeFocusedWindow of RootWindowContainer.java, and related functions, there is possible interception of keypresses due to focus being on the wrong window. This could lead to local escalation of privilege revealing the user's keypresses while the screen was locked with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0 Android-8.1 Android ID: A-71786287.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDgoogle/android8.0, 8.1+1
CVEListV5google_inc/androidAndroid-8.0 Android-8.1

🔴Vulnerability Details

2
GHSA
GHSA-q9q7-mvqx-8v66: In computeFocusedWindow of RootWindowContainer2022-05-13
CVEList
CVE-2018-9458: In computeFocusedWindow of RootWindowContainer2018-11-06

📋Vendor Advisories

1
Android
CVE-2018-9458: Android Security Bulletin 2018-08-01 CVE: CVE-2018-9458 Severity: HIGH Type: EoP Affected AOSP versions: 82018-08-01
CVE-2018-9458 — UI Misrepresentation / Clickjacking | cvebase