cve/2021/CVE-2021-25373.md

### [CVE-2021-25373](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25373)
![](https://img.shields.io/static/v1?label=Product&message=Customization%20Service&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Android%20O(8.x)%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Android%20P(9.0)%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Android%20Q(10.0)%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=Android%20R(11.0)%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-285%20Improper%20Authorization&color=brightgreen)

### Description

Using unsafe PendingIntent in Customization Service prior to version 2.2.02.1 in Android O(8.x), 2.4.03.0 in Android P(9.0), 2.7.02.1 in Android Q(10.0) and 2.9.01.1 in Android R(11.0) allows local attackers to perform unauthorized action without permission via hijacking the PendingIntent.

### POC

#### Reference
- https://security.samsungmobile.com/serviceWeb.smsb

#### Github
No PoCs found on GitHub currently.