{"id":"CVE-2023-6542","details":"Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.\n\n","modified":"2026-04-10T05:08:03.887618Z","published":"2023-12-12T02:15:09.347Z","references":[{"type":"ADVISORY","url":"https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"},{"type":"REPORT","url":"https://me.sap.com/notes/3406244"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/emartech/android-emarsys-sdk","events":[{"introduced":"0"},{"last_affected":"5505560369569e48506910044c1dc8a6bcd20609"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.6.2"}]}}],"versions":["1.99.0","2.0.0","2.0.1","2.1.0","2.10.0","2.11.0","2.11.1","2.12.0","2.12.1","2.13.0","2.14.0","2.14.1","2.14.2","2.14.3","2.15.0","2.16.0","2.2.0","2.3.0","2.4.1","2.4.2","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.6.0","2.6.1","2.7.0","2.8.0","2.9.0","2.9.1","3.0.0","3.0.1","3.1.0","3.1.1","3.1.2","3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.3.0","3.3.1","3.4.0","3.5.0","3.5.1","3.5.3","3.6.0","3.6.1","3.6.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-6542.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}