The vulnerability is that the Messaging (com.android.mms) app patched by LG forwards attacker-controlled intents back to the attacker in the exported com.android.mms.ui.QClipIntentReceiverActivity activity. The attacker can abuse this functionality by launching this activity and then sending a broadcast with the com.lge.message.action.QCLIP action. The attacker can send, e.g., their own data/clipdata and set Intent.FLAG_GRANT_* flags. After the attacker received that intent in the onActivityResult() method, they would have access to arbitrary content providers that have the android:grantUriPermissions=true flag set.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Android | 12.0 (including) | 13.0 (including) |