Vulnerabilites related to F-Secure - F-Secure SAFE Browser for Android Version 18.5 & below
cve-2021-44751
Vulnerability from cvelistv5
Published
2022-03-25 10:32
Modified
2024-08-04 04:32
Severity ?
EPSS score ?
Summary
A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| F-Secure | F-Secure SAFE Browser for Android Version 18.5 & below |
Version: 18.5 < 18.6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:32:13.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"platforms": [
"Android"
],
"product": "F-Secure SAFE Browser for Android Version 18.5 \u0026 below",
"vendor": "F-Secure",
"versions": [
{
"lessThan": "18.6",
"status": "affected",
"version": "18.5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "F-Secure SAFE Browser vulnerable to USSD attacks",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-25T18:02:37",
"orgId": "126858f1-1b65-4b74-81ca-7034f7f7723f",
"shortName": "F-SecureUS"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
}
],
"solutions": [
{
"lang": "en",
"value": "FIX : A fix has been released in the automatic update channel since 22nd, March 2022. No user action is required."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "F-Secure SAFE Browser vulnerable to USSD attacks",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-notifications-us@f-secure.com",
"ID": "CVE-2021-44751",
"STATE": "PUBLIC",
"TITLE": "F-Secure SAFE Browser vulnerable to USSD attacks"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "F-Secure SAFE Browser for Android Version 18.5 \u0026 below",
"version": {
"version_data": [
{
"platform": "Android",
"version_affected": "\u003c",
"version_name": "18.5",
"version_value": "18.6"
}
]
}
}
]
},
"vendor_name": "F-Secure"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website attached with USSD code in JavaScript or iFrame can trigger dialer application from F-Secure browser which can be exploited by an attacker to send unwanted USSD messages or perform unwanted calls. In most modern Android OS, dialer application will require user interaction, however, some older Android OS may not need user interaction."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "F-Secure SAFE Browser vulnerable to USSD attacks"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame",
"refsource": "MISC",
"url": "https://www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-fame"
}
]
},
"solution": [
{
"lang": "en",
"value": "FIX : A fix has been released in the automatic update channel since 22nd, March 2022. No user action is required."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "126858f1-1b65-4b74-81ca-7034f7f7723f",
"assignerShortName": "F-SecureUS",
"cveId": "CVE-2021-44751",
"datePublished": "2022-03-25T10:32:11",
"dateReserved": "2021-12-08T00:00:00",
"dateUpdated": "2024-08-04T04:32:13.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}