Samsung Mobile Galaxy Store vulnerabilities

CVE-2023-21516 [HIGH] CWE-20 CVE-2023-21516: XSS vulnerability from InstantPlay in Galaxy Store prior to version 4.5.49.8 allows attackers to exe XSS vulnerability from InstantPlay in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.

CVE-2023-21514 [HIGH] CWE-20 CVE-2023-21514: Improper scheme validation from InstantPlay Deeplink in Galaxy Store prior to version 4.5.49.8 allow Improper scheme validation from InstantPlay Deeplink in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.

CVE-2023-21515 [HIGH] CWE-20 CVE-2023-21515: InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.

CVE-2023-21433 [HIGH] CWE-285 CVE-2023-21433: Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attacke Improper access control vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to install applications from Galaxy Store.

CVE-2023-21434 [MEDIUM] CWE-20 CVE-2023-21434: Improper input validation vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attac Improper input validation vulnerability in Galaxy Store prior to version 4.5.49.8 allows local attackers to execute JavaScript by launching a web page.

CVE-2022-33708 [HIGH] CWE-20 CVE-2022-33708: Improper input validation vulnerability in AppsPackageInstaller in Galaxy Store prior to version 4.5 Improper input validation vulnerability in AppsPackageInstaller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.

CVE-2022-33709 [HIGH] CWE-20 CVE-2022-33709: Improper input validation vulnerability in ApexPackageInstaller in Galaxy Store prior to version 4.5 Improper input validation vulnerability in ApexPackageInstaller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.

CVE-2022-33710 [HIGH] CWE-20 CVE-2022-33710: Improper input validation vulnerability in BillingPackageInsraller in Galaxy Store prior to version Improper input validation vulnerability in BillingPackageInsraller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.

CVE-2022-28791 [MEDIUM] CWE-20 CVE-2022-28791: Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 al Improper input validation vulnerability in InstallAgent in Galaxy Store prior to version 4.5.41.8 allows attacker to overwrite files stored in a specific path. The patch adds proper protection to prevent overwrite to existing files.

CVE-2022-28776 [MEDIUM] CWE-285 CVE-2022-28776: Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to i Improper access control vulnerability in Galaxy Store prior to version 4.5.36.4 allows attacker to install applications from Galaxy Store without user interactions.

CVE-2022-28544 [MEDIUM] CWE-22 CVE-2022-28544: Path traversal vulnerability in unzip method of InstallAgentCommonHelper in Galaxy store prior to ve Path traversal vulnerability in unzip method of InstallAgentCommonHelper in Galaxy store prior to version 4.5.40.5 allows attacker to access the file of Galaxy store.

CVE-2022-28542 [MEDIUM] CWE-284 CVE-2022-28542: Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local atta Improper sanitization of incoming intent in Galaxy Store prior to version 4.5.40.5 allows local attackers to access privileged content providers as Galaxy Store permission.

CVE-2022-22288 [HIGH] CWE-285 CVE-2022-22288: Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installatio Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 allows remote app installation of the allowlist.

CVE-2021-25499 [HIGH] CWE-285 CVE-2021-25499: Intent redirection vulnerability in SamsungAccountSDKSigninActivity of Galaxy Store prior to version Intent redirection vulnerability in SamsungAccountSDKSigninActivity of Galaxy Store prior to version 4.5.32.4 allows attacker to access content provider of Galaxy Store.