VARIoT IoT vulnerabilities database

The Evercoss U6 Android device with a build fingerprint of EVERCOSS/U6/U6:7.0/NRD90M/1504236704:user/release-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0.0_VER_32516486284094) that allows other pre-installed apps to perform system properties modification via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Evercoss U6 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information may be tampered with. Evercoss U6 is a smartphone. Evercoss U6 has security holes. An attacker could use this vulnerability to pre-install an application on a device to obtain signatureOrSystem permissions

The Coolpad N3C Android device with a build fingerprint of Coolpad/N3C/N3C:8.1.0/O11019/1538236809:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Coolpad N3C Android The device is vulnerable to a lack of authentication.Information may be tampered with. Yulong Computer Communication Technology Coolpad N3C is a smart phone of China Yulong Computer Communication Technology Company. Yulong Computer Communication Technology Coolpad N3C has an unknown vulnerability. An attacker could use this vulnerability to modify system properties

The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Coolpad 1851 Android The device is vulnerable to a lack of authentication.Information may be tampered with. Yulong Computer Communication Technology Coolpad 1851 is a smart phone of China Yulong Computer Communication Technology Company. Yulong Computer Communication Technology Coolpad 1851 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to modify system properties

The Asus ZenFone Max 4 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1712.367-20171225:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ZenFone Max 4 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS ZenFone Max 4 is a smartphone from ASUS, Taiwan. ASUS ZenFone Max 4 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component

The Samsung A8+ Android device with a build fingerprint of samsung/jackpot2ltexx/jackpot2lte:8.0.0/R16NW/A730FXXS4BSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung A8+ Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung A8 + is a smartphone from Samsung in South Korea. There is a security vulnerability in the com.samsung.android.themecenter app in Samsung A8 + (build fingerprint: samsung / jackpot2ltexx / jackpot2lte: 8.0.0 / R16NW / A730FXXS4BSC2: user / release-keys). An attacker could use this vulnerability to perform software installation with the help of other pre-installed software

The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Lava Z61 Turbo Android The device is vulnerable to a lack of authentication.Information may be tampered with

The Samsung on7xelteskt Android device with a build fingerprint of samsung/on7xelteskt/on7xelteskt:8.1.0/M1AJQ/G610SKSU2CSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung on7xelteskt Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung on7xelteskt is a smartphone from Samsung in South Korea. Samsung on7xelteskt has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component

The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Sony keyaki_kddi Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Sony keyaki_kddi is a smart phone from Sony Corporation of Japan. There is a security hole in the com.kddi.android.packageinstaller app in Sony keyaki_kddi (build fingerprint: Sony / keyaki_kddi / keyaki_kddi: 7.1.1 / TONE3-3.0.0-KDDI-170517-0326 / 1: user / dev-keys). An attacker could use this vulnerability to install software

The Samsung J3 Android device with a build fingerprint of samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung J3 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung J3 is a smartphone from Samsung in South Korea. Samsung J3 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component

The Evercoss U50A Android device with a build fingerprint of EVERCOSS/U50A./EVERCOSS:7.0/NRD90M/1499911028:eng/test-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0_VER_2017.04.21_17:55:55) that allows other pre-installed apps to perform system properties modification via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Evercoss U50A Android Devices are vulnerable to improper assignment of permissions to critical resources.Information may be tampered with. Evercoss U50A is a smartphone. The com.qiku.cleaner app in Evercoss U50A (build fingerprint: EVERCOSS / U50A. / EVERCOSS: 7.0 / NRD90M / 1499911028: eng / test-keys) has a security vulnerability. An attacker could use this vulnerability to modify system properties

The Hisense U965 Android device with a build fingerprint of Hisense/U965_4G_10/HS6739MT:8.1.0/O11019/Hisense_U965_4G_10_S01:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Hisense U965 Android The device is vulnerable to a lack of authentication.Information may be tampered with. Hisense U965 is a smartphone from Hisense, China. Hisense U965 has an unknown vulnerability. An attacker could use this vulnerability to modify system properties

The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1526527761:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Haier G8 Android The device is vulnerable to a lack of authentication.Information may be tampered with. Haier G8 is a smartphone from Haier of China. Haier G8 has an access control error vulnerability. An attacker could use this vulnerability to modify system properties

The Asus ZenFone AR Android device with a build fingerprint of asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys contains a pre-installed app with a package name of com.asus.splendidcommandagent app (versionCode=1510200105, versionName=1.2.0.21_180605) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ZenFone AR Android The device is vulnerable to improper assignment of permissions to critical resources.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. ASUS ZenFone AR is a smartphone from ASUS, Taiwan. ASUS ZenFone AR has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component

The Sony Xperia Touch Android device with a build fingerprint of Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys contains a pre-installed app with a package name of com.sonymobile.android.maintenancetool.testmic app (versionCode=24, versionName=7.0) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record audio to external storage. Sony Xperia Touch Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be obtained. Sony Xperia Touch is a touch projector from Sony Corporation of Japan. Com.sonymobile.android.maintenancetool.testmic app in Sony Xperia Touch (build fingerprint:Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys) Access control error vulnerability. An attacker can exploit this vulnerability for unauthorized microphone recording

The Xiaomi Mi Mix Android device with a build fingerprint of Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. Xiaomi Mi Mix Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be tampered with. Xiaomi Mi Mix is a smartphone from China's Xiaomi Technology. Xiaomi / lithium / lithium: 6.0.1 / MXB48T / 7.1.5: user / release in Xiaomi Mi Mix (build fingerprint: Xiaomi / lithium / lithium: 6.0.1 / MXB48T / 7.1.5: user / release-keys) -keys is vulnerable. An attacker could use another application on the device to exploit the vulnerability to unauthorizedly modify wireless settings. Pre-installed apps are allowed to perform app installation using an accessible app component

The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung XCover4 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung XCover4 is a smartphone from Samsung in South Korea. Samsung XCover4 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component. The Samsung XCover4 Android device could allow a physical malicious user to gain elevated privileges on the system. An attacker could exploit this vulnerability to gain elevated privileges on the system

The Asus ASUS_X00LD_3 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ASUS_X00LD_3 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS ASUS_X00LD_3 is a smart phone from Taiwan ASUS. ASUS ASUS_X00LD_3 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component

The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. Lava Iris 88 Go Android Devices are vulnerable to improper assignment of permissions to critical resources.Information may be tampered with. Lava Iris 88 Go is a smartphone from Lava, India. Lava Iris 88 Go has an unknown vulnerability. An attacker could use this vulnerability to unauthorizedly switch Wi-Fi on

The Cherry Flare S7 Android device with a build fingerprint of Cherry_Mobile/Flare_S7_Deluxe/Flare_S7_Deluxe:8.1.0/O11019/1533920920:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Cherry Flare S7 Android The device is vulnerable to a lack of authentication.Information may be tampered with. An attacker could use this vulnerability to modify system properties

The Asus ZenFone 4 Selfie Android device with a build fingerprint of Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Asus ZenFone 4 Selfie Android The device is vulnerable to a lack of authentication.Information may be tampered with. ASUS ZenFone 4 Selfie is a smartphone from ASUS, Taiwan. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could exploit this vulnerability to modify system properties without authorization