← back
CVE-2023-23299

CVE-2023-23299

EPSS 0.8%CWE-863
Vexday Risk Score
3Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 May 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 through 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their functions and disclose sensitive data such as user profile information and GPS coordinates, among others.
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://developer.garmin.com/connect-iq/core-topics/manifest-and-permissions/https://github.com/anvilsecure/garmin-ciq-app-research/blob/main/advisories/CVE-2023-23299.md