Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-39349

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-25 Oct, 2022 | 00:00
Updated At-23 Apr, 2025 | 16:43
Rejected At-
Credits

Tasks.org vulnerable to data exfiltration by malicous app or adb

The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:25 Oct, 2022 | 00:00
Updated At:23 Apr, 2025 | 16:43
Rejected At:
▼CVE Numbering Authority (CNA)
Tasks.org vulnerable to data exfiltration by malicous app or adb

The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.

Affected Products
Vendor
tasks
Product
tasks
Versions
Affected
  • < 12.7.1
  • = 13.0.0
Problem Types
TypeCWE IDDescription
CWECWE-441CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
CWECWE-668CWE-668: Exposure of Resource to Wrong Sphere
Type: CWE
CWE ID: CWE-441
Description: CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
Type: CWE
CWE ID: CWE-668
Description: CWE-668: Exposure of Resource to Wrong Sphere
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8
N/A
https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942
N/A
Hyperlink: https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8
Resource: N/A
Hyperlink: https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8
x_transferred
https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942
x_transferred
Hyperlink: https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8
Resource:
x_transferred
Hyperlink: https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:25 Oct, 2022 | 17:15
Updated At:28 Oct, 2022 | 19:25

The Tasks.org Android app is an open-source app for to-do lists and reminders. The Tasks.org app uses the activity `ShareLinkActivity.kt` to handle "share" intents coming from other components in the same device and convert them to tasks. Those intents may contain arbitrary file paths as attachments, in which case the files pointed by those paths are copied in the app's external storage directory. Prior to versions 12.7.1 and 13.0.1, those paths were not validated, allowing a malicious or compromised application in the same device to force Tasks.org to copy files from its internal storage to its external storage directory, where they became accessible to any component with permission to read the external storage. This vulnerability can lead to sensitive information disclosure. All information in the user's notes and the app's preferences, including the encrypted credentials of CalDav integrations if enabled, could be accessed by third party applications installed on the same device. This issue was fixed in versions 12.7.1 and 13.0.1. There are no known workarounds.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Primary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CPE Matches
tasks
tasks
>>tasks>>Versions before 12.7.1(exclusive)
cpe:2.3:a:tasks:tasks:*:*:*:*:*:android:*:*
tasks
tasks
>>tasks>>13.0.0
cpe:2.3:a:tasks:tasks:13.0.0:*:*:*:*:android:*:*
Weaknesses
CWE IDTypeSource
CWE-668Primarynvd@nist.gov
CWE-441Secondarysecurity-advisories@github.com
CWE-668Secondarysecurity-advisories@github.com
CWE ID: CWE-668
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-441
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-668
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942security-advisories@github.com
Patch
Third Party Advisory
https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8security-advisories@github.com
Patch
Third Party Advisory
Hyperlink: https://github.com/tasks/tasks/commit/23bf69d3f44b07e4bc62ea107f72103239f5d942
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory
Hyperlink: https://github.com/tasks/tasks/security/advisories/GHSA-8x58-cg74-8jg8
Source: security-advisories@github.com
Resource:
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

55Records found
CVE-2021-25652
Matching Score-4
Assigner-Avaya, Inc.
ShareView Details
Matching Score-4
Assigner-Avaya, Inc.
CVSS Score-4.9||MEDIUM
EPSS-0.25% / 48.44%
||
7 Day CHG~0.00%
Published-24 Jun, 2021 | 08:55
Updated-03 Aug, 2024 | 20:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Avaya Aura Appliance Virtualization Platform Utilities Sensitive Information Disclosure Vulnerability

An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Appliance Virtualization Platform Utilities (AVPU). This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects versions 8.0.0.0 through 8.1.3.1 of AVPU.

Action-Not Available
Vendor-Avaya LLC
Product-aura_appliance_virtualization_platformAvaya Aura Appliance Virtualization Platform Utilities
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2021-26327
Matching Score-4
Assigner-Advanced Micro Devices Inc.
ShareView Details
Matching Score-4
Assigner-Advanced Micro Devices Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.06% / 18.83%
||
7 Day CHG~0.00%
Published-16 Nov, 2021 | 18:18
Updated-17 Sep, 2024 | 02:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient validation of guest context in the SNP Firmware could lead to a potential loss of guest confidentiality.

Action-Not Available
Vendor-Advanced Micro Devices, Inc.
Product-epyc_7543epyc_7313epyc_7443_firmwareepyc_7343epyc_7663_firmwareepyc_7543_firmwareepyc_7763_firmwareepyc_7713pepyc_7443epyc_74f3_firmwareepyc_7513epyc_7313p_firmwareepyc_7763epyc_7713_firmwareepyc_7713p_firmwareepyc_73f3_firmwareepyc_7453epyc_7713epyc_7003_firmwareepyc_7443p_firmwareepyc_7513_firmwareepyc_7543p_firmwareepyc_7003epyc_7413_firmwareepyc_72f3epyc_7643epyc_7643_firmwareepyc_7663epyc_75f3epyc_72f3_firmwareepyc_7313_firmwareepyc_7543pepyc_7443pepyc_75f3_firmwareepyc_7453_firmwareepyc_7343_firmwareepyc_74f3epyc_7413epyc_7313pepyc_73f33rd Gen AMD EPYC™
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2021-21430
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.2||MEDIUM
EPSS-0.16% / 37.04%
||
7 Day CHG~0.00%
Published-10 May, 2021 | 19:25
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Creation of Temporary File in Directory with Insecure Permissions in auto-generated Java, Scala code

OpenAPI Generator allows generation of API client libraries (SDK generation), server stubs, documentation and configuration automatically given an OpenAPI Spec. Using `File.createTempFile` in JDK will result in creating and using insecure temporary files that can leave application and system data vulnerable to attacks. Auto-generated code (Java, Scala) that deals with uploading or downloading binary data through API endpoints will create insecure temporary files during the process. Affected generators: `java` (jersey2, okhttp-gson (default library)), `scala-finch`. The issue has been patched with `Files.createTempFile` and released in the v5.1.0 stable version.

Action-Not Available
Vendor-openapi-generatorOpenAPITools
Product-openapi_generatoropenapi-generator
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2021-0588
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.5||MEDIUM
EPSS-0.03% / 6.26%
||
7 Day CHG~0.00%
Published-14 Jul, 2021 | 13:44
Updated-03 Aug, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In processInboundMessage of MceStateMachine.java, there is a possible SMS disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9Android ID: A-177238342

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CVE-2021-1438
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.5||MEDIUM
EPSS-0.05% / 13.33%
||
7 Day CHG~0.00%
Published-06 May, 2021 | 12:40
Updated-08 Nov, 2024 | 23:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Wide Area Application Services Software Information Disclosure Vulnerability

A vulnerability in Cisco Wide Area Application Services (WAAS) Software could allow an authenticated, local attacker to gain access to sensitive information on an affected device. The vulnerability is due to improper input validation and authorization of specific commands that a user can execute within the CLI. An attacker could exploit this vulnerability by authenticating to an affected device and issuing a specific set of commands. A successful exploit could allow the attacker to read arbitrary files that they originally did not have permissions to access.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-wide_area_application_servicesCisco Wide Area Application Services (WAAS)
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
  • Previous
  • 1
  • 2
  • Next
Details not found