CVE-2024-13917

An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. Application update was released in April 2025.

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/en/posts/2025/05/CVE-2024-13915

Configurations

No configuration.

History

10 Jun 2025, 10:15

Type	Values Removed	Values Added
Summary		(es) La aplicación "com.pri.applock", preinstalada en los smartphones Kruger&Matz, permite cifrar cualquier aplicación mediante el código PIN proporcionado por el usuario o datos biométricos. La actividad expuesta de "com.pri.applock.LockUI" permite que cualquier otra aplicación maliciosa, sin permisos del sistema Android, inyecte una intención arbitraria con privilegios de sistema en una aplicación protegida. Es necesario conocer el número PIN de protección (podría revelarse mediante la explotación de CVE-2024-13916) o solicitar al usuario que lo proporcione. El proveedor no proporcionó información sobre las versiones vulnerables. Solo la versión (nombre de la versión: 13, código de la versión: 33) fue probada y se confirmó que presenta esta vulnerabilidad.
Summary	(en) An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it. Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability	(en) An application "com.pri.applock", which is pre-loaded on Kruger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability. Application update was released in April 2025.

30 May 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 16:15

Updated : 2025-06-10 10:15

NVD link : CVE-2024-13917

Mitre link : CVE-2024-13917

CVE.ORG link : CVE-2024-13917

JSON object : View

Products Affected

No product.

CWE

CWE-926

Improper Export of Android Application Components

JSON object

Attach tags to CVE-2024-13917

Attach tags to `CVE-2024-13917`