CVE-2023-29749

Vulnerability

Yandex Navigator v6.60 for Android exposes components that allow unauthorized apps to modify SharedPreference files. The application's SharedPreference files, such as ru.yandex.yandexnavi.preferences.xml, can be manipulated via intents sent to exposed services like ClidService. This affects any SharedPreferences file whose name starts with ru.yandex.yandexnavi.. [1]

Exploitation

An attacker with an installed malicious app can send a crafted intent to the exposed ClidService component, specifying the target preferences file and values. For example, setting notification-enabled to false disables the search box in the notification bar. The attacker does not need special permissions beyond being able to start an intent. [1]

Impact

Successful exploitation allows an unauthorized app to modify critical application settings stored in SharedPreferences, leading to escalation of privilege. The attacker can alter functionality such as disabling notifications or other features, potentially affecting user experience and security. [1]

Mitigation

As of the publication date (2023-06-09), no official fix or workaround has been disclosed in the available references. Users should monitor vendor updates for a patched version. [1]