Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-27108

An issue was discovered in KaiOS 3.0. The pre-installed Communications application exposes a Web Activity that returns the user's call log without origin or permission checks. An attacker can inject a JavaScript payload that runs in a browser or app without user interaction or consent. This allows an attacker to send the user's call logs to a remote server via XMLHttpRequest or Fetch.

Published

2023-05-01T22:15:09.617

Last Modified

2025-01-30T17:15:13.723

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	kaiostech	kaios	3.0	Yes

References

https://gist.github.com/Tombarr/5ed6675f33e0eca149a8b4d38ce76dda Product ([email protected])
https://kaios.dev/cve/1409490 Exploit ([email protected])
https://gist.github.com/Tombarr/5ed6675f33e0eca149a8b4d38ce76dda Product (af854a3a-2127-422b-91ae-364da2661108)
https://kaios.dev/cve/1409490 Exploit (af854a3a-2127-422b-91ae-364da2661108)