Settings
CVEs (24)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-20906 | Med | 0.36 | 5.5 | 0.00 | Feb 4, 2025 | Improper Export of Android Application Components in Settings prior to SMR Feb-2025 Release 1 allows local attackers to enable ADB. | ||
| CVE-2026-20992 | 0.00 | — | 0.00 | Mar 16, 2026 | Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application. | |||
| CVE-2025-21049 | 0.00 | — | 0.00 | Oct 10, 2025 | Improper access control in SecSettings prior to SMR Oct-2025 Release 1 allows local attackers to access sensitive information. User interaction is required for triggering this vulnerability. | |||
| CVE-2024-34682 | 0.00 | — | 0.00 | Nov 6, 2024 | Improper authorization in Settings prior to SMR Nov-2024 Release 1 allows physical attackers to access stored WiFi password in Maintenance Mode. | |||
| CVE-2024-0021 | 0.00 | — | 0.00 | Feb 16, 2024 | In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges… | |||
| CVE-2024-0020 | 0.00 | — | 0.00 | Feb 16, 2024 | In onActivityResult of NotificationSoundPreference.java, there is a possible way to hear audio files belonging to a different user due to a confused deputy. This could lead to local information disclosure across users of a device with no additional execution privileges needed.… | |||
| CVE-2023-42530 | 0.00 | — | 0.00 | Nov 7, 2023 | Improper access control vulnerability in SecSettings prior to SMR Nov-2023 Release 1 allows attackers to enable Wi-Fi and Wi-Fi Direct without User Interaction. | |||
| CVE-2023-21335 | 0.00 | — | 0.00 | Oct 30, 2023 | In Settings, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed… | |||
| CVE-2023-21311 | 0.00 | — | 0.00 | Oct 30, 2023 | In Settings, there is a possible way to control private DNS settings from a secondary user due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||
| CVE-2023-30727 | 0.00 | — | 0.00 | Oct 4, 2023 | Improper access control vulnerability in SecSettings prior to SMR Oct-2023 Release 1 allows attackers to enable Wi-Fi and connect arbitrary Wi-Fi without User Interaction. | |||
| CVE-2023-35677 | 0.00 | — | 0.00 | Sep 11, 2023 | In onCreate of DeviceAdminAdd.java, there is a possible way to forcibly add a device admin due to a missing permission check. This could lead to local denial of service (factory reset or continuous locking) with no additional execution privileges needed. User interaction is not… | |||
| CVE-2023-35667 | 0.00 | — | 0.00 | Sep 11, 2023 | In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction… | |||
| CVE-2023-30708 | 0.00 | — | 0.01 | Sep 6, 2023 | Improper authentication in SecSettings prior to SMR Sep-2023 Release 1 allows attacker to access Captive Portal Wi-Fi in Reactivation Lock status. | |||
| CVE-2023-21247 | 0.00 | — | 0.00 | Jul 12, 2023 | In getAvailabilityStatus of BluetoothScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed.… | |||
| CVE-2023-30641 | 0.00 | — | 0.00 | Jul 6, 2023 | Improper access control vulnerability in Settings prior to SMR Jul-2023 Release 1 allows physical attacker to use restricted user profile to access device owner's google account data. | |||
| CVE-2023-21460 | 0.00 | — | 0.00 | Mar 16, 2023 | Improper authentication in SecSettings prior to SMR Mar-2023 Release 1 allows attacker to reset the setting. | |||
| CVE-2022-39904 | 0.00 | — | 0.00 | Dec 8, 2022 | Exposure of Sensitive Information vulnerability in Samsung Settings prior to SMR Dec-2022 Release 1 allows local attackers to access the Network Access Identifier via log. | |||
| CVE-2022-20321 | 0.00 | — | 0.00 | Aug 11, 2022 | In Settings, there is a possible way for an application without permissions to read content of WiFi QR codes due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for… | |||
| CVE-2022-20297 | 0.00 | — | 0.00 | Aug 11, 2022 | In Settings, there is a possible way to bypass factory reset protections due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:… | |||
| CVE-2022-30729 | 0.00 | — | 0.00 | Jun 7, 2022 | Implicit Intent hijacking vulnerability in Settings prior to SMR Jun-2022 Release 1 allows attackers to get Wi-Fi SSID and password via a malicious QR code scanner. |
- risk 0.36cvss 5.5epss 0.00
Improper Export of Android Application Components in Settings prior to SMR Feb-2025 Release 1 allows local attackers to enable ADB.
- CVE-2026-20992Mar 16, 2026risk 0.00cvss —epss 0.00
Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application.
- CVE-2025-21049Oct 10, 2025risk 0.00cvss —epss 0.00
Improper access control in SecSettings prior to SMR Oct-2025 Release 1 allows local attackers to access sensitive information. User interaction is required for triggering this vulnerability.
- CVE-2024-34682Nov 6, 2024risk 0.00cvss —epss 0.00
Improper authorization in Settings prior to SMR Nov-2024 Release 1 allows physical attackers to access stored WiFi password in Maintenance Mode.
- CVE-2024-0021Feb 16, 2024risk 0.00cvss —epss 0.00
In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges…
- CVE-2024-0020Feb 16, 2024risk 0.00cvss —epss 0.00
In onActivityResult of NotificationSoundPreference.java, there is a possible way to hear audio files belonging to a different user due to a confused deputy. This could lead to local information disclosure across users of a device with no additional execution privileges needed.…
- CVE-2023-42530Nov 7, 2023risk 0.00cvss —epss 0.00
Improper access control vulnerability in SecSettings prior to SMR Nov-2023 Release 1 allows attackers to enable Wi-Fi and Wi-Fi Direct without User Interaction.
- CVE-2023-21335Oct 30, 2023risk 0.00cvss —epss 0.00
In Settings, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed…
- CVE-2023-21311Oct 30, 2023risk 0.00cvss —epss 0.00
In Settings, there is a possible way to control private DNS settings from a secondary user due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
- CVE-2023-30727Oct 4, 2023risk 0.00cvss —epss 0.00
Improper access control vulnerability in SecSettings prior to SMR Oct-2023 Release 1 allows attackers to enable Wi-Fi and connect arbitrary Wi-Fi without User Interaction.
- CVE-2023-35677Sep 11, 2023risk 0.00cvss —epss 0.00
In onCreate of DeviceAdminAdd.java, there is a possible way to forcibly add a device admin due to a missing permission check. This could lead to local denial of service (factory reset or continuous locking) with no additional execution privileges needed. User interaction is not…
- CVE-2023-35667Sep 11, 2023risk 0.00cvss —epss 0.00
In updateList of NotificationAccessSettings.java, there is a possible way to hide approved notification listeners in the settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…
- CVE-2023-30708Sep 6, 2023risk 0.00cvss —epss 0.01
Improper authentication in SecSettings prior to SMR Sep-2023 Release 1 allows attacker to access Captive Portal Wi-Fi in Reactivation Lock status.
- CVE-2023-21247Jul 12, 2023risk 0.00cvss —epss 0.00
In getAvailabilityStatus of BluetoothScanningMainSwitchPreferenceController.java, there is a possible way to bypass a device policy restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed.…
- CVE-2023-30641Jul 6, 2023risk 0.00cvss —epss 0.00
Improper access control vulnerability in Settings prior to SMR Jul-2023 Release 1 allows physical attacker to use restricted user profile to access device owner's google account data.
- CVE-2023-21460Mar 16, 2023risk 0.00cvss —epss 0.00
Improper authentication in SecSettings prior to SMR Mar-2023 Release 1 allows attacker to reset the setting.
- CVE-2022-39904Dec 8, 2022risk 0.00cvss —epss 0.00
Exposure of Sensitive Information vulnerability in Samsung Settings prior to SMR Dec-2022 Release 1 allows local attackers to access the Network Access Identifier via log.
- CVE-2022-20321Aug 11, 2022risk 0.00cvss —epss 0.00
In Settings, there is a possible way for an application without permissions to read content of WiFi QR codes due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for…
- CVE-2022-20297Aug 11, 2022risk 0.00cvss —epss 0.00
In Settings, there is a possible way to bypass factory reset protections due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:…
- CVE-2022-30729Jun 7, 2022risk 0.00cvss —epss 0.00
Implicit Intent hijacking vulnerability in Settings prior to SMR Jun-2022 Release 1 allows attackers to get Wi-Fi SSID and password via a malicious QR code scanner.
Page 1 of 2