The issue is due to a logic error in the code where ActivityRecord.setOptions() method is called during the Activity’s onCreate() method where Intent has been set to any arbitrary Java code to be executed. If an attacker can control the code that is being executed, then they could leverage the logic error to load a malicious library and potentially gain code execution with no additional privileges needed. The issue was addressed by changing the code where ActivityRecord.setOptions() is called during the Activity’s onCreate() method to validate the Intent before setting the options.User interaction is not needed for exploitation. However, if user's device runs a custom or modified version of the Android operating system, then the issue could be exploitable by an attacker.This issue affected devices running Android 8.1 (API level 27) and earlier versions and devices running Android 4.4 or earlier versions. Product: Android
CVE number: CVE-2019-5398
VENDOR: Google Inc.
DESCRIPTION: An issue was discovered in certain Google advertising domains. These domains sent a spoofed post request to a targeted user’s calendar feed, which resulted in the targeted user getting an email about a business event from another user. This email contained a link to the attacker’s website that redirected the user to a phishing site. The link was provided by the calendar feed in the spoofed email. This could lead to user confusion and lost of trust
BUGTRAQ: Android Bugs You Should Know About
CVE-2019-5398: Calendar Spoofing
This vulnerability affected devices running Android 8.1 (API level 27) and earlier versions and devices running Android 4.4 or earlier versions. Product: Android
CVE number: CVE-2019-5398
VENDOR: Google Inc.
DESCRIPTION: An issue was discovered in certain Google advertising domains. These domains sent a spoofed post request to a targeted user’s calendar feed, which resulted in the targeted user getting an email about a business event from another user. This email contained a link to the attacker’s website that redirected the user to a phishing site. The link was provided by the calendar feed in the spoofed email. This could lead to user confusion and lost of trust
CVSS Measures
CVSS Base Score: 7.8
CVSS Vector: CVSS Base Vector: CVSS Temporal Vector:
CVSS Environmental Score*: ????
*Note that CVSS Environmental Score is not a measure of the impact on the environment, rather it provides information on how the vulnerability impacts the user's machine and what the consequences are for an attacker. The scale below is used to measure this score.
Timeline
Published on: 10/11/2022 20:15:00 UTC
Last modified on: 10/13/2022 02:49:00 UTC