CVE-2022-36870 — Improper Authorization in Mobile Samsung PAY

CWE-285 — Improper Authorization3 documents3 sources

Severity

6.5MEDIUMNVD

CNA5.0

EPSS

0.1%

top 82.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Mobile Samsung PAY Samsung PAY Samsung PAY KR

Timeline

PublishedSep 9

Latest updateSep 10

Description

Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 2.0 | Impact: 4.0

Affected Packages3 packages

▶NVDsamsung/samsung_pay< 5.1.47

▶NVDsamsung/samsung_pay_kr< 5.0.63

▶CVEListV5samsung_mobile/samsung_payunspecified — 5.0.63 for KR and 5.1.47 for Global

🔴Vulnerability Details

GHSA

GHSA-3xw3-hxv2-jwq2: Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5↗2022-09-10

▶

CVEList

CVE-2022-36870: Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5↗2022-09-09

▶