Samsung

Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager prior to version 2.1.221019.51

CVE-2022-39909 5.5 - Medium - December 08, 2022

Insufficient verification of data authenticity vulnerability in Samsung Gear IconX PC Manager prior to version 2.1.221019.51 allows local attackers to create arbitrary file using symbolic link.

Insufficient Verification of Data Authenticity

Improper access control vulnerability in Samsung Pass prior to version 4.0.06.7

CVE-2022-39910 4.2 - Medium - December 08, 2022

Improper access control vulnerability in Samsung Pass prior to version 4.0.06.7 allow physical attackers to access data of Samsung Pass on a certain state of an unlocked device using pop-up view.

Improper check or handling of exceptional conditions vulnerability in Samsung Pass prior to version 4.0.06.1

CVE-2022-39911 6.8 - Medium - December 08, 2022

Improper check or handling of exceptional conditions vulnerability in Samsung Pass prior to version 4.0.06.1 allows attacker to access Samsung Pass.

Improper access control vulnerability in GalaxyWatch4Plugin prior to versions 2.2.11.22101351 and 2.2.12.22101351

CVE-2022-39889 3.3 - Low - November 09, 2022

Improper access control vulnerability in GalaxyWatch4Plugin prior to versions 2.2.11.22101351 and 2.2.12.22101351 allows attackers to access wearable device information.

Improper Authorization in Samsung Billing prior to version 5.0.56.0

CVE-2022-39890 7.5 - High - November 09, 2022

Improper Authorization in Samsung Billing prior to version 5.0.56.0 allows attacker to get sensitive information.

Heap overflow vulnerability in parse_pce function in libsavsaudio.so in Editor Lite prior to version 4.0.41.3

CVE-2022-39891 7.5 - High - November 09, 2022

Heap overflow vulnerability in parse_pce function in libsavsaudio.so in Editor Lite prior to version 4.0.41.3 allows attacker to get information.

Memory Corruption

Improper access control in Samsung Pass prior to version 4.0.05.1

CVE-2022-39892 9.8 - Critical - November 09, 2022

Improper access control in Samsung Pass prior to version 4.0.05.1 allows attackers to unauthenticated access via keep open feature.

Sensitive information exposure vulnerability in FmmBaseModel in Galaxy Buds Pro Manage prior to version 4.1.22092751

CVE-2022-39893 3.3 - Low - November 09, 2022

Sensitive information exposure vulnerability in FmmBaseModel in Galaxy Buds Pro Manage prior to version 4.1.22092751 allows local attackers with log access permission to get device identifier data through device log.

Insertion of Sensitive Information into Log File

Improper access control vulnerability in QuickShare prior to version 13.2.3.5

CVE-2022-39860 3.5 - Low - October 07, 2022

Improper access control vulnerability in QuickShare prior to version 13.2.3.5 allows attackers to access sensitive information via implicit broadcast.

Exposure of Resource to Wrong Sphere

Unprotected Receiver in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51

CVE-2022-39861 3.3 - Low - October 07, 2022

Unprotected Receiver in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to record video without camera privilege.

AuthZ

Intent redirection vulnerability in Samsung Account prior to version 13.5.01.3

CVE-2022-39863 4.7 - Medium - October 07, 2022

Intent redirection vulnerability in Samsung Account prior to version 13.5.01.3 allows attackers to access content providers without permission.

Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25

CVE-2022-39864 7.5 - High - October 07, 2022

Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0

CVE-2022-39865 7.5 - High - October 07, 2022

Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0

CVE-2022-39866 7.5 - High - October 07, 2022

Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0

CVE-2022-39867 7.5 - High - October 07, 2022

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0

CVE-2022-39868 7.5 - High - October 07, 2022

Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0

CVE-2022-39869 7.5 - High - October 07, 2022

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0

CVE-2022-39870 7.5 - High - October 07, 2022

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0

CVE-2022-39871 7.5 - High - October 07, 2022

Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.

Exposure of Resource to Wrong Sphere

Improper restriction of broadcasting Intent in ShareLive prior to version 13.2.03.5 leaks MAC address of the connected Bluetooth device.

CVE-2022-39872 3.3 - Low - October 07, 2022

Improper restriction of broadcasting Intent in ShareLive prior to version 13.2.03.5 leaks MAC address of the connected Bluetooth device.

Improper Handling of Exceptional Conditions

Sensitive log information leakage vulnerability in Samsung Account prior to version 13.5.0

CVE-2022-39874 5.5 - Medium - October 07, 2022

Sensitive log information leakage vulnerability in Samsung Account prior to version 13.5.0 allows attackers to unauthorized logout.

Insertion of Sensitive Information into Log File

Improper component protection vulnerability in Samsung Account prior to version 13.5.0

CVE-2022-39875 4.4 - Medium - October 07, 2022

Improper component protection vulnerability in Samsung Account prior to version 13.5.0 allows attackers to unauthorized logout.

Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13

CVE-2022-39876 3.3 - Low - October 07, 2022

Insertion of Sensitive Information into Log in PushRegIdUpdateClient of SReminder prior to 8.2.01.13 allows attacker to access device IMEI.

Insertion of Sensitive Information into Log File

Improper access control vulnerability in Samsung Checkout prior to version 5.0.55.3

CVE-2022-39878 5.5 - Medium - October 07, 2022

Improper access control vulnerability in Samsung Checkout prior to version 5.0.55.3 allows attackers to access sensitive information via implicit intent broadcast.

Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14

CVE-2022-39873 4.6 - Medium - October 07, 2022

Improper authorization vulnerability in Samsung Internet prior to version 18.0.4.14 allows physical attackers to add bookmarks in secret mode without user authentication.

AuthZ

Improper access control vulnerability in CameraTestActivity in FactoryCameraFB prior to version 3.5.51

CVE-2022-39857 5.5 - Medium - October 07, 2022

Improper access control vulnerability in CameraTestActivity in FactoryCameraFB prior to version 3.5.51 allows attackers to access broadcasting Intent as system uid privilege.

Exposure of Resource to Wrong Sphere

Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51

CVE-2022-39858 7.8 - High - October 07, 2022

Path traversal vulnerability in AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to write arbitrary file as FactoryCamera privilege.

Directory traversal

Implicit intent hijacking vulnerability in UPHelper library prior to version 3.0.12

CVE-2022-39859 3.3 - Low - October 07, 2022

Implicit intent hijacking vulnerability in UPHelper library prior to version 3.0.12 allows attackers to access sensitive information via implicit intent.

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE)

CVE-2022-40279 7.5 - High - September 29, 2022

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). l2_packet_receive_timeout in wpa_supplicant/src/l2_packet/l2_packet_pcap.c has a missing check on the return value of pcap_dispatch, leading to a denial of service (malfunction).

Unchecked Return Value

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE)

CVE-2022-40278 7.5 - High - September 29, 2022

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). createDB in security/provisioning/src/provisioningdatabasemanager.c has a missing sqlite3_free after sqlite3_exec, leading to a denial of service.

Dangling pointer

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACComputeFinal function in Samsung mTower through 0.3.0

CVE-2022-40757 7.5 - High - September 16, 2022

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACComputeFinal function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACComputeFinal with an excessive size value of messageLen.

Buffer Overflow

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_CipherUpdate function in Samsung mTower through 0.3.0

CVE-2022-40758 7.5 - High - September 16, 2022

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_CipherUpdate function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_CipherUpdate with an excessive size value of srcLen.

Buffer Overflow

A NULL pointer dereference issue in the TEE_MACCompareFinal function in Samsung mTower through 0.3.0

CVE-2022-40759 7.5 - High - September 16, 2022

A NULL pointer dereference issue in the TEE_MACCompareFinal function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACCompareFinal with a NULL pointer for the parameter operation.

NULL Pointer Dereference

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACUpdate function in Samsung mTower through 0.3.0

CVE-2022-40760 7.5 - High - September 16, 2022

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACUpdate function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACUpdate with an excessive size value of chunkSize.

Buffer Overflow

The function tee_obj_free in Samsung mTower through 0.3.0

CVE-2022-40761 7.5 - High - September 16, 2022

The function tee_obj_free in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_AllocateOperation with a disturbed heap layout, related to utee_cryp_obj_alloc.

Improper Input Validation

A Memory Allocation with Excessive Size Value vulnerablity in the TEE_Realloc function in Samsung mTower through 0.3.0

CVE-2022-40762 7.5 - High - September 16, 2022

A Memory Allocation with Excessive Size Value vulnerablity in the TEE_Realloc function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_Realloc with an excessive number for the parameter len.

Allocation of Resources Without Limits or Throttling

DLL hijacking vulnerability in Smart Switch PC prior to version 4.3.22083_3

CVE-2022-39846 7.8 - High - September 09, 2022

DLL hijacking vulnerability in Smart Switch PC prior to version 4.3.22083_3 allows attacker to execute arbitrary code.

DLL preloading

Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of?Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device.

CVE-2022-36873 6.5 - Medium - September 09, 2022

Improper restriction of broadcasting Intent in GalaxyStoreBridgePageLinker of?Waterplugin prior to version 2.2.11.22081151 leaks MAC address of the connected Bluetooth device.

Improper Handling of Insufficient Permissions or Privileges vulnerability in Waterplugin prior to 2.2.11.22040751

CVE-2022-36874 6.2 - Medium - September 09, 2022

Improper Handling of Insufficient Permissions or Privileges vulnerability in Waterplugin prior to 2.2.11.22040751 allows attacker to access device IMEI and Serial number.

Improper Handling of Exceptional Conditions

Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151

CVE-2022-36875 5.5 - Medium - September 09, 2022

Improper restriction of broadcasting Intent in SaWebViewRelayActivity of?Waterplugin prior to version 2.2.11.22081151 allows attacker to access the file without permission.

Exposure of Resource to Wrong Sphere

Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10

CVE-2022-36876 2.4 - Low - September 09, 2022

Improper authorization in UPI payment in Samsung Pass prior to version 4.0.04.10 allows physical attackers to access account list without authentication.

AuthZ

Exposure of Sensitive Information in FaqSymptomCardViewModel in Samsung Members prior to versions 4.3.00.11 in Global and 14.0.02.4 in China

CVE-2022-36877 3.3 - Low - September 09, 2022

Exposure of Sensitive Information in FaqSymptomCardViewModel in Samsung Members prior to versions 4.3.00.11 in Global and 14.0.02.4 in China allows local attackers to access device identification via log.

Insertion of Sensitive Information into Log File

Exposure of Sensitive Information in Find My Mobile prior to version 7.2.25.14

CVE-2022-36878 3.3 - Low - September 09, 2022

Exposure of Sensitive Information in Find My Mobile prior to version 7.2.25.14 allows local attacker to access IMEI via log.

Information Disclosure

Improper validation of integrity check vulnerability in Smart Switch PC prior to version 4.3.22083

CVE-2022-39844 7.1 - High - September 09, 2022

Improper validation of integrity check vulnerability in Smart Switch PC prior to version 4.3.22083 allows local attackers to delete arbitrary directory using directory junction.

Improper Validation of Integrity Check Value

Improper validation of integrity check vulnerability in Samsung Kies prior to version 2.6.4.22074

CVE-2022-39845 7.1 - High - September 09, 2022

Improper validation of integrity check vulnerability in Samsung Kies prior to version 2.6.4.22074 allows local attackers to delete arbitrary directory using directory junction.

Improper Validation of Integrity Check Value

Improper access control vulnerability in Samsung pass prior to version 4.0.03.1

CVE-2022-36851 4.6 - Medium - September 09, 2022

Improper access control vulnerability in Samsung pass prior to version 4.0.03.1 allow physical attackers to access data of Samsung pass on a certain state of an unlocked device.

Improper input validation vulnerability in SmartTagPlugin prior to version 1.2.21-6

CVE-2022-36859 4.8 - Medium - September 09, 2022

Improper input validation vulnerability in SmartTagPlugin prior to version 1.2.21-6 allows privileged attackers to trigger a XSS on a victim's devices.

Improper Input Validation

Improper access control and intent redirection in Samsung Email prior to 6.1.70.20

CVE-2022-36864 7.8 - High - September 09, 2022

Improper access control and intent redirection in Samsung Email prior to 6.1.70.20 allows attacker to access specific formatted file and execute privileged behavior.

Improper access control vulnerability in Editor Lite prior to version 4.0.40.14

CVE-2022-36867 5.5 - Medium - September 09, 2022

Improper access control vulnerability in Editor Lite prior to version 4.0.40.14 allows attackers to access sensitive information.

Improper access control vulnerability in ContactsDumpActivity of?Contacts Provider prior to version 12.7.59

CVE-2022-36869 6.1 - Medium - September 09, 2022

Improper access control vulnerability in ContactsDumpActivity of?Contacts Provider prior to version 12.7.59 allows attacker to access the file without permission.

Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global

CVE-2022-36870 6.5 - Medium - September 09, 2022

Pending Intent hijacking vulnerability in MTransferNotificationManager in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent.

Pending Intent hijacking vulnerability in NotiCenterUtils in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global

CVE-2022-36871 6.5 - Medium - September 09, 2022

Pending Intent hijacking vulnerability in NotiCenterUtils in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent.

Pending Intent hijacking vulnerability in SpayNotification in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global

CVE-2022-36872 6.5 - Medium - September 09, 2022

Pending Intent hijacking vulnerability in SpayNotification in Samsung Pay prior to version 5.0.63 for KR and 5.1.47 for Global allows attackers to access files without permission via implicit Intent.

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE)

CVE-2022-40280 7.5 - High - September 08, 2022

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). createDB in security/provisioning/src/provisioningdatabasemanager.c has a missing sqlite3_close after sqlite3_open_v2, leading to a denial of service.

Missing Release of Resource after Effective Lifetime

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE)

CVE-2022-40281 7.5 - High - September 08, 2022

An issue was discovered in Samsung TizenRT through 3.0_GBM (and 3.1_PRE). cyassl_connect_step2 in curl/vtls/cyassl.c has a missing X509_free after SSL_get_peer_certificate, leading to information disclosure.

Memory Leak

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_private_key

CVE-2022-39828 7.5 - High - September 05, 2022

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_private_key, leading to a denial of service.

There is a NULL pointer dereference in aes256_encrypt in Samsung mTower through 0.3.0 due to a missing check on the return value of EVP_CIPHER_CTX_new.

CVE-2022-39829 7.5 - High - September 05, 2022

There is a NULL pointer dereference in aes256_encrypt in Samsung mTower through 0.3.0 due to a missing check on the return value of EVP_CIPHER_CTX_new.

NULL Pointer Dereference

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates

CVE-2022-39830 7.5 - High - September 05, 2022

sign_pFwInfo in Samsung mTower through 0.3.0 has a missing check on the return value of EC_KEY_set_public_key_affine_coordinates, leading to a denial of service.

Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference

CVE-2022-36622 7.5 - High - September 01, 2022

Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_GetObjectInfo1.

NULL Pointer Dereference

Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference

CVE-2022-36621 7.5 - High - September 01, 2022

Samsung Electronics mTower v0.3.0 and earlier was discovered to contain a NULL pointer dereference via the function TEE_AllocateTransientObject.

NULL Pointer Dereference

TEE_Malloc in Samsung mTower through 0.3.0

CVE-2022-38155 7.5 - High - August 11, 2022

TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted application to achieve Excessive Memory Allocation via a large len value, as demonstrated by a Numaker-PFM-M2351 TEE kernel crash.

Allocation of Resources Without Limits or Throttling

Implicit Intent hijacking vulnerability in Galaxy Wearable prior to version 2.2.50

CVE-2022-36838 4.6 - Medium - August 05, 2022

Implicit Intent hijacking vulnerability in Galaxy Wearable prior to version 2.2.50 allows attacker to get sensitive information.

Intent redirection vulnerability using implicit intent in Samsung email prior to version 6.1.70.20

CVE-2022-36837 5.5 - Medium - August 05, 2022

Intent redirection vulnerability using implicit intent in Samsung email prior to version 6.1.70.20 allows attacker to get sensitive information.

Sensitive information exposure in onCharacteristicRead in Charm by Samsung prior to version 1.2.3

CVE-2022-33733 3.3 - Low - August 05, 2022

Sensitive information exposure in onCharacteristicRead in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission.

AuthZ

Implicit Intent hijacking vulnerability in Samsung Internet Browser prior to version 17.0.7.34

CVE-2022-36835 3.3 - Low - August 05, 2022

Implicit Intent hijacking vulnerability in Samsung Internet Browser prior to version 17.0.7.34 allows attackers to access arbitrary files.

DLL hijacking vulnerability in Samsung Update Setup prior to version 2.2.9.50

CVE-2022-36840 7.8 - High - August 05, 2022

DLL hijacking vulnerability in Samsung Update Setup prior to version 2.2.9.50 allows attackers to execute arbitrary code.

DLL preloading

Sensitive information exposure in onCharacteristicChanged in Charm by Samsung prior to version 1.2.3

CVE-2022-33734 5.5 - Medium - August 05, 2022

Sensitive information exposure in onCharacteristicChanged in Charm by Samsung prior to version 1.2.3 allows attacker to get bluetooth connection information without permission.

AuthZ

SQL injection vulnerability via IAPService in Samsung Checkout prior to version 5.0.53.1

CVE-2022-36839 5.5 - Medium - August 05, 2022

SQL injection vulnerability via IAPService in Samsung Checkout prior to version 5.0.53.1 allows attackers to access IAP information.

SQL Injection

Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39

CVE-2022-36831 5.5 - Medium - August 05, 2022

Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission.

Directory traversal

Improper access control vulnerability in WebApp in Cameralyzer prior to versions 3.2.22, 3.3.22, 3.4.22 and 3.5.51

CVE-2022-36832 3.3 - Low - August 05, 2022

Improper access control vulnerability in WebApp in Cameralyzer prior to versions 3.2.22, 3.3.22, 3.4.22 and 3.5.51 allows attackers to access external storage as Cameralyzer privilege.

Improper Privilege Management

Exposure of Sensitive Information vulnerability in Game Launcher prior to version 6.0.07

CVE-2022-36834 5 - Medium - August 05, 2022

Exposure of Sensitive Information vulnerability in Game Launcher prior to version 6.0.07 allows local attacker to access app data with user interaction.

Information Disclosure

The TEE_PopulateTransientObject and __utee_from_attr functions in Samsung mTower 0.3.0

CVE-2022-35858 7.8 - High - August 04, 2022

The TEE_PopulateTransientObject and __utee_from_attr functions in Samsung mTower 0.3.0 allow a trusted application to trigger a memory overwrite, denial of service, and information disclosure by invoking the function TEE_PopulateTransientObject with a large number in the parameter attrCount.

Memory Leak

Improper validation of integrity check vulnerability in Samsung USB Driver Windows Installer for Mobile Phones prior to version 1.7.56.0

CVE-2022-33711 5.5 - Medium - July 12, 2022

Improper validation of integrity check vulnerability in Samsung USB Driver Windows Installer for Mobile Phones prior to version 1.7.56.0 allows local attackers to delete arbitrary directory using directory junction.

Improper Validation of Integrity Check Value

Information exposure in Calendar prior to version 12.3.05.10000

CVE-2022-33705 3.3 - Low - July 12, 2022

Information exposure in Calendar prior to version 12.3.05.10000 allows attacker to access calendar schedule without READ_CALENDAR permission.

AuthZ

Implicit Intent hijacking vulnerability in Samsung Cloud prior to version 5.2.0

CVE-2022-33713 7.5 - High - July 12, 2022

Implicit Intent hijacking vulnerability in Samsung Cloud prior to version 5.2.0 allows attacker to get sensitive information.

Improper access control vulnerability in Samsung Gallery prior to version 13.1.05.8

CVE-2022-33706 2.4 - Low - July 12, 2022

Improper access control vulnerability in Samsung Gallery prior to version 13.1.05.8 allows physical attackers to access the pictures using S Pen air gesture.

Improper identifier creation logic in Find My Mobile prior to version 7.2.24.12

CVE-2022-33707 5.3 - Medium - July 12, 2022

Improper identifier creation logic in Find My Mobile prior to version 7.2.24.12 allows attacker to identify the device.

Use of Insufficiently Random Values

Improper input validation vulnerability in AppsPackageInstaller in Galaxy Store prior to version 4.5.41.8

CVE-2022-33708 7.8 - High - July 12, 2022

Improper input validation vulnerability in AppsPackageInstaller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.

Improper Privilege Management

Improper input validation vulnerability in ApexPackageInstaller in Galaxy Store prior to version 4.5.41.8

CVE-2022-33709 7.8 - High - July 12, 2022

Improper input validation vulnerability in ApexPackageInstaller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.

Improper Privilege Management

Improper input validation vulnerability in BillingPackageInsraller in Galaxy Store prior to version 4.5.41.8

CVE-2022-33710 7.8 - High - July 12, 2022

Improper input validation vulnerability in BillingPackageInsraller in Galaxy Store prior to version 4.5.41.8 allows local attackers to launch activities as Galaxy Store privilege.

Improper Privilege Management

Improper access control vulnerability in Quick Share prior to version 13.1.2.4

CVE-2022-30745 5.5 - Medium - June 07, 2022

Improper access control vulnerability in Quick Share prior to version 13.1.2.4 allows attacker to access internal files in Quick Share.

AuthZ

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6

CVE-2022-30743 5.3 - Medium - June 07, 2022

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the data of contact and gallery without permission.

Improper Privilege Management

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6

CVE-2022-30739 4.3 - Medium - June 07, 2022

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get an user email or phone number with a normal level permission.

Improper Privilege Management

Implicit Intent hijacking vulnerability in Samsung Account prior to version 13.2.00.6

CVE-2022-30737 5.3 - Medium - June 07, 2022

Implicit Intent hijacking vulnerability in Samsung Account prior to version 13.2.00.6 allows attackers to get email ID.

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6

CVE-2022-30736 5.3 - Medium - June 07, 2022

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the data of contact and gallery without permission.

Improper Privilege Management

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6

CVE-2022-30735 7.5 - High - June 07, 2022

Improper privilege management vulnerability in Samsung Account prior to 13.2.00.6 allows attackers to get the access_token without permission.

Improper Privilege Management

Sensitive information exposure in Sign-out log in Samsung Account prior to version 13.2.00.6

CVE-2022-30734 5.3 - Medium - June 07, 2022

Sensitive information exposure in Sign-out log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.

Exposure of Resource to Wrong Sphere

Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6

CVE-2022-30733 5.3 - Medium - June 07, 2022

Sensitive information exposure in Sign-in log in Samsung Account prior to version 13.2.00.6 allows attackers to get an user email or phone number without permission.

Insertion of Sensitive Information into Log File

Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6

CVE-2022-30732 7.5 - High - June 07, 2022

Exposure of Sensitive Information vulnerability in Samsung Account prior to version 13.2.00.6 allows attacker to access sensitive information via onActivityResult.

Exposure of Resource to Wrong Sphere

DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1

CVE-2022-30744 7.8 - High - June 07, 2022

DLL hijacking vulnerability in KiesWrapper in Samsung Kies prior to version 2.6.4.22043_1 allows attacker to execute arbitrary code.

DLL preloading

Sensitive information exposure vulnerability in FmmExtraOperation of Find My Mobile prior to 7.2.24.12

CVE-2022-30742 3.3 - Low - June 07, 2022

Sensitive information exposure vulnerability in FmmExtraOperation of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permissio to get sim card information through device log.

Insertion of Sensitive Information into Log File

Improper auto-fill algorithm in Samsung Internet prior to version 17.0.1.69

CVE-2022-30740 4.3 - Medium - June 07, 2022

Improper auto-fill algorithm in Samsung Internet prior to version 17.0.1.69 allows physical attackers to guess stored credit card numbers.

Insecure Storage of Sensitive Information

Sensitive information exposure vulnerability in SimChangeAlertManger of Find My Mobile prior to 7.2.24.12

CVE-2022-30741 3.3 - Low - June 07, 2022

Sensitive information exposure vulnerability in SimChangeAlertManger of Find My Mobile prior to 7.2.24.12 allows local attackers with log access permission to get sim card information through device log.

Insertion of Sensitive Information into Log File

Improper access control vulnerability in Smart Things prior to 1.7.85.25

CVE-2022-30749 7.8 - High - June 07, 2022

Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity.

authentification

Missing caller check in Smart Things prior to version 1.7.85.12

CVE-2022-30746 7.5 - High - June 07, 2022

Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.

Exposure of Resource to Wrong Sphere

PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25

CVE-2022-30747 5.5 - Medium - June 07, 2022

PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.

Incorrect Default Permissions

Unprotected dynamic receiver in Samsung Members prior to version 4.2.005

CVE-2022-30748 5.5 - Medium - June 07, 2022

Unprotected dynamic receiver in Samsung Members prior to version 4.2.005 allows attacker to launch arbitrary activity.

Improper authorization in Samsung Pass prior to 1.0.00.33

CVE-2022-30730 4.6 - Medium - June 07, 2022

Improper authorization in Samsung Pass prior to 1.0.00.33 allows physical attackers to acess account list without authentication.

AuthZ

Improper access control vulnerability in My Files prior to version 13.1.00.193

CVE-2022-30731 5.5 - Medium - June 07, 2022

Improper access control vulnerability in My Files prior to version 13.1.00.193 allows attackers to access arbitrary private files in My Files application.

AuthZ

Improper check in Loader in Samsung Internet prior to 17.0.1.69

CVE-2022-30738 4.3 - Medium - June 07, 2022

Improper check in Loader in Samsung Internet prior to 17.0.1.69 allows attackers to spoof address bar via executing script.

Improper Check for Unusual or Exceptional Conditions