Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
garmin connect-iq vulnerabilities and exploits
(subscribe to this query)
9.8
CVSSv3
CVE-2023-23298
The `Toybox.Graphics.BufferedBitmap.initialize` API method in CIQ API version 2.3.0 up to and including 4.1.7 does not validate its parameters, which can result in integer overflows when allocating the underlying bitmap buffer. A malicious application could call the API method wi...
Garmin Connect-iq
7.5
CVSSv3
CVE-2023-23299
The permission system implemented and enforced by the GarminOS TVM component in CIQ API version 1.0.0 up to and including 4.1.7 can be bypassed entirely. A malicious application with specially crafted code and data sections could access restricted CIQ modules, call their function...
Garmin Connect-iq
9.8
CVSSv3
CVE-2023-23300
The `Toybox.Cryptography.Cipher.initialize` API method in CIQ API version 3.0.0 up to and including 4.1.7 does not validate its parameters, which can result in buffer overflows when copying data. A malicious application could call the API method with specially crafted parameters ...
Garmin Connect-iq
9.8
CVSSv3
CVE-2023-23301
The `news` MonkeyC operation code in CIQ API version 1.0.0 up to and including 4.1.7 fails to check that string resources are not extending past the end of the expected sections. A malicious CIQ application could craft a string that starts near the end of a section, and whose len...
Garmin Connect-iq
9.8
CVSSv3
CVE-2023-23302
The `Toybox.GenericChannel.setDeviceConfig` API method in CIQ API version 1.2.0 up to and including 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. A malicious application could call the API method with specially crafte...
Garmin Connect-iq
9.8
CVSSv3
CVE-2023-23303
The `Toybox.Ant.GenericChannel.enableEncryption` API method in CIQ API version 3.2.0 up to and including 4.1.7 does not validate its parameter, which can result in buffer overflows when copying various attributes. A malicious application could call the API method with specially c...
Garmin Connect-iq
9.1
CVSSv3
CVE-2023-23304
The GarminOS TVM component in CIQ API version 2.1.0 up to and including 4.1.7 allows applications with a specially crafted head section to use the `Toybox.SensorHistory` module without permission. A malicious application could call any functions from the `Toybox.SensorHistory` mo...
Garmin Connect-iq
9.8
CVSSv3
CVE-2023-23305
The GarminOS TVM component in CIQ API version 1.0.0 up to and including 4.1.7 is vulnerable to various buffer overflows when loading binary resources. A malicious application embedding specially crafted resources could hijack the execution of the device's firmware.
Garmin Connect-iq
9.8
CVSSv3
CVE-2023-23306
The `Toybox.Ant.BurstPayload.add` API method in CIQ API version 2.2.0 up to and including 4.1.7 suffers from a type confusion vulnreability, which can result in an out-of-bounds write operation. A malicious application could create a specially crafted `Toybox.Ant.BurstPayload` ob...
Garmin Connect-iq
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223
CVE-2024-0044
information disclosure
CVE-2024-35753
HTML injection
CVE-2024-21306
CVE-2024-35733
SQL injection
CVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started