CVE-2023-49000 – This vulnerability in ArtistScope ArtisBrowser ... (How to Fix)

Q: What is the severity of CVE-2023-49000?

CVE-2023-49000 has a CVSS score of 9.8 (CRITICAL). This vulnerability in ArtistScope ArtisBrowser allows attackers to bypass access restrictions by exploiting the com.artis.browser.IntentReceiverActivity component. It affects ArtisBrowser v34.1.5 and earlier versions. The vendor disputes the vulnerability, claiming ArtisBrowser 34 doesn't support CSS3.

📋 TL;DR

This vulnerability in ArtistScope ArtisBrowser allows attackers to bypass access restrictions by exploiting the com.artis.browser.IntentReceiverActivity component. It affects ArtisBrowser v34.1.5 and earlier versions. The vendor disputes the vulnerability, claiming ArtisBrowser 34 doesn't support CSS3.

💻 Affected Systems

Products:

ArtistScope ArtisBrowser

Versions: v34.1.5 and earlier

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Vendor disputes vulnerability exists in ArtisBrowser 34 due to lack of CSS3 support.

📦 What is this software?

Artisbrowser by Artistscope

View all CVEs affecting Artisbrowser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing unauthorized access to protected resources, potential data exfiltration, and privilege escalation.

🟠

Likely Case

Unauthorized access to restricted application features or data through component interaction bypass.

🟢

If Mitigated

Limited impact with proper component isolation and input validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation involves interacting with exposed IntentReceiverActivity component.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider alternative browsers until vendor provides fix.

🔧 Temporary Workarounds

Disable ArtisBrowser

android

Remove or disable ArtisBrowser application from affected devices.

adb uninstall com.artis.browser

Restrict component access

android

Use Android permissions or security policies to restrict access to IntentReceiverActivity.

🧯 If You Can't Patch

Isolate affected devices from sensitive networks
Implement network segmentation and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check ArtisBrowser version in app settings or via 'adb shell dumpsys package com.artis.browser'

Check Version:

adb shell dumpsys package com.artis.browser | grep versionName

Verify Fix Applied:

Verify ArtisBrowser is uninstalled or updated to version above 34.1.5

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to com.artis.browser.IntentReceiverActivity
Unexpected intent broadcasts to ArtisBrowser

Network Indicators:

Unusual network traffic from ArtisBrowser app

SIEM Query:

source="android_logs" AND "com.artis.browser.IntentReceiverActivity" AND ("unauthorized" OR "access denied")

📊 Metadata

CVE ID: CVE-2023-49000

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: December 27, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/actuator/com.artis.browser/blob/main/CWE-94.md Broken Link
https://github.com/actuator/cve/blob/main/CVE-2023-49000 Third Party Advisory
https://github.com/advisories/GHSA-866h-q63m-66xm
https://github.com/actuator/com.artis.browser/blob/main/CWE-94.md Broken Link
https://github.com/actuator/cve/blob/main/CVE-2023-49000 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49000, you might also want to check these: