CVE-2024-46964 is a code injection vulnerability affecting the All Video Downloader Android application (com.video.downloader.all) through version 11.28. The flaw resides in the StartActivity component, which improperly handles input, allowing an attacker to inject and execute arbitrary JavaScript code. This vulnerability falls under CWE-94, indicating improper control over code generation or execution. The attack vector is network-based (AV:N), requiring no privileges (PR:N) but does require user interaction (UI:R), such as clicking a malicious link or opening crafted content. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable application context. The CVSS 3.1 base score is 8.1, reflecting high impact on confidentiality and integrity (C:H/I:H) but no impact on availability (A:N). Exploiting this vulnerability could allow attackers to steal sensitive information, manipulate app behavior, or perform further malicious actions within the app context. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is significant for Android users who have installed this app, especially in environments where sensitive data is handled or where the app is widely used.

The primary impact of CVE-2024-46964 is the potential compromise of user confidentiality and integrity. Attackers can execute arbitrary JavaScript code, which may lead to data theft, session hijacking, or unauthorized actions within the app. This could expose personal user data, credentials, or other sensitive information stored or processed by the app. Although availability is not affected, the breach of confidentiality and integrity can have severe consequences, including identity theft, fraud, or further compromise of the device if the malicious code escalates privileges or exploits other vulnerabilities. Organizations relying on this app for video downloading or content management on Android devices face risks of data leakage and loss of user trust. The requirement for user interaction somewhat limits exploitation but does not eliminate risk, especially in phishing or social engineering scenarios. The lack of a patch increases exposure time, raising the likelihood of future exploitation.

1. Immediately monitor for updates or patches from the application developer and apply them as soon as they become available. 2. Until a patch is released, restrict or block the use of the All Video Downloader app in enterprise environments, especially on devices handling sensitive data. 3. Educate users about the risks of interacting with untrusted links or content that could trigger the vulnerability. 4. Employ mobile device management (MDM) solutions to control app installations and enforce security policies. 5. Use application sandboxing or runtime application self-protection (RASP) technologies to limit the impact of injected code. 6. Conduct regular security assessments on mobile apps used within the organization to detect similar vulnerabilities proactively. 7. Monitor network traffic for suspicious activity related to the app’s communication patterns that could indicate exploitation attempts. 8. Encourage users to uninstall the vulnerable app if it is not essential or replace it with a more secure alternative.