CVE-2023-42468

medium

Description

The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component. A third-party application (without any permissions) can craft an intent targeting com.cutestudio.dialer.activities.DialerActivity via the android.intent.action.CALL action in conjunction with a tel: URI, thereby placing a phone call.

References

https://github.com/actuator/cve/blob/main/CVE-2023-42468

https://github.com/actuator/com.cutestudio.colordialer/blob/main/dialerPOC.apk

https://github.com/actuator/com.cutestudio.colordialer/blob/main/dial.gif

https://github.com/actuator/com.cutestudio.colordialer/blob/main/CWE-284.md

Details

Source: Mitre, NVD

Published: 2023-09-13

Updated: 2026-06-17

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00205