CVE-2023-20976Improper Input Validation in Google Android

CWE-20Improper Input Validation4 documents4 sources
Severity
7.3HIGHNVD
EPSS
0.0%
top 92.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Platform Packages Apps SettingsGoogle Android
Timeline
PublishedMar 24
Latest updateJun 1

Description

In getConfirmationMessage of DefaultAutofillPicker.java, there is a possible way to mislead the user to select default autofill application due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-216117246

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages3 packages

CVEListV5google/androidAndroid-13
NVDgoogle/android13.0
Androidplatform/packages_apps_settings13-next:013-next:2023-06-01+1

🔴Vulnerability Details

3
OSV
CVE-2023-20976: In getConfirmationMessage of DefaultAutofillPicker2023-06-01
CVEList
CVE-2023-20976: In getConfirmationMessage of DefaultAutofillPicker2023-03-24
GHSA
GHSA-w5cr-gcpx-w5wp: In getConfirmationMessage of DefaultAutofillPicker2023-03-24
CVE-2023-20976 — Improper Input Validation in Google | cvebase