VARIoT IoT vulnerabilities database

VAR-201911-0552 | CVE-2019-15436 | Samsung A8+ Android Vulnerability with improper permission assignment to critical resources on devices |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
The Samsung A8+ Android device with a build fingerprint of samsung/jackpot2ltexx/jackpot2lte:8.0.0/R16NW/A730FXXS4BSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung A8+ Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung A8 + is a smartphone from Samsung in South Korea.
There is a security vulnerability in the com.samsung.android.themecenter app in Samsung A8 + (build fingerprint: samsung / jackpot2ltexx / jackpot2lte: 8.0.0 / R16NW / A730FXXS4BSC2: user / release-keys). An attacker could use this vulnerability to perform software installation with the help of other pre-installed software
VAR-201911-0534 | CVE-2019-15369 | Lava Z61 Turbo Android Lack of authentication on device |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Lava Z61 Turbo Android The device is vulnerable to a lack of authentication.Information may be tampered with
VAR-201911-0558 | CVE-2019-15442 | Samsung on7xelteskt Access Control Error Vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
The Samsung on7xelteskt Android device with a build fingerprint of samsung/on7xelteskt/on7xelteskt:8.1.0/M1AJQ/G610SKSU2CSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung on7xelteskt Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung on7xelteskt is a smartphone from Samsung in South Korea.
Samsung on7xelteskt has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component
VAR-201911-0485 | CVE-2019-15416 | Sony keyaki_kddi Android Vulnerability with improper permission assignment to critical resources on devices |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Sony keyaki_kddi Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Sony keyaki_kddi is a smart phone from Sony Corporation of Japan.
There is a security hole in the com.kddi.android.packageinstaller app in Sony keyaki_kddi (build fingerprint: Sony / keyaki_kddi / keyaki_kddi: 7.1.1 / TONE3-3.0.0-KDDI-170517-0326 / 1: user / dev-keys). An attacker could use this vulnerability to install software
VAR-201911-0568 | CVE-2019-15452 | Samsung J3 Access Control Error Vulnerability |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
The Samsung J3 Android device with a build fingerprint of samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung J3 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung J3 is a smartphone from Samsung in South Korea.
Samsung J3 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component
VAR-201911-0547 | CVE-2019-15431 | Evercoss U50A Android Vulnerability with improper permission assignment to critical resources on devices |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Evercoss U50A Android device with a build fingerprint of EVERCOSS/U50A./EVERCOSS:7.0/NRD90M/1499911028:eng/test-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0_VER_2017.04.21_17:55:55) that allows other pre-installed apps to perform system properties modification via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Evercoss U50A Android Devices are vulnerable to improper assignment of permissions to critical resources.Information may be tampered with. Evercoss U50A is a smartphone.
The com.qiku.cleaner app in Evercoss U50A (build fingerprint: EVERCOSS / U50A. / EVERCOSS: 7.0 / NRD90M / 1499911028: eng / test-keys) has a security vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0525 | CVE-2019-15360 | Hisense U965 Android Lack of authentication on device |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Hisense U965 Android device with a build fingerprint of Hisense/U965_4G_10/HS6739MT:8.1.0/O11019/Hisense_U965_4G_10_S01:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Hisense U965 Android The device is vulnerable to a lack of authentication.Information may be tampered with. Hisense U965 is a smartphone from Hisense, China.
Hisense U965 has an unknown vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0535 | CVE-2019-15370 | Haier G8 Android Lack of authentication on device |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1526527761:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Haier G8 Android The device is vulnerable to a lack of authentication.Information may be tampered with. Haier G8 is a smartphone from Haier of China.
Haier G8 has an access control error vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0483 | CVE-2019-15414 | ASUS ZenFone AR Access Control Error Vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
The Asus ZenFone AR Android device with a build fingerprint of asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys contains a pre-installed app with a package name of com.asus.splendidcommandagent app (versionCode=1510200105, versionName=1.2.0.21_180605) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ZenFone AR Android The device is vulnerable to improper assignment of permissions to critical resources.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. ASUS ZenFone AR is a smartphone from ASUS, Taiwan.
ASUS ZenFone AR has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component
VAR-201911-1325 | CVE-2019-15743 | Sony Xperia Touch Access Control Error Vulnerability |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Sony Xperia Touch Android device with a build fingerprint of Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys contains a pre-installed app with a package name of com.sonymobile.android.maintenancetool.testmic app (versionCode=24, versionName=7.0) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record audio to external storage. Sony Xperia Touch Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be obtained. Sony Xperia Touch is a touch projector from Sony Corporation of Japan.
Com.sonymobile.android.maintenancetool.testmic app in Sony Xperia Touch (build fingerprint:Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys) Access control error vulnerability. An attacker can exploit this vulnerability for unauthorized microphone recording
VAR-201911-0543 | CVE-2019-15427 | Xiaomi Mi Mix Android Vulnerability related to externally controllable references to other domain resources on devices |
CVSS V2: 2.1 CVSS V3: 3.3 Severity: LOW |
The Xiaomi Mi Mix Android device with a build fingerprint of Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. Xiaomi Mi Mix Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be tampered with. Xiaomi Mi Mix is a smartphone from China's Xiaomi Technology.
Xiaomi / lithium / lithium: 6.0.1 / MXB48T / 7.1.5: user / release in Xiaomi Mi Mix (build fingerprint: Xiaomi / lithium / lithium: 6.0.1 / MXB48T / 7.1.5: user / release-keys) -keys is vulnerable. An attacker could use another application on the device to exploit the vulnerability to unauthorizedly modify wireless settings. Pre-installed apps are allowed to perform app installation using an accessible app component
VAR-201911-0554 | CVE-2019-15438 | Samsung XCover4 Android Vulnerability with improper permission assignment to critical resources on devices |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung XCover4 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung XCover4 is a smartphone from Samsung in South Korea.
Samsung XCover4 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component. The Samsung XCover4 Android device could allow a physical malicious user to gain elevated privileges on the system. An attacker could exploit this vulnerability to gain elevated privileges on the system
VAR-201911-0475 | CVE-2019-15406 | ASUS ASUS_X00LD_3 Access Control Error Vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
The Asus ASUS_X00LD_3 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ASUS_X00LD_3 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS ASUS_X00LD_3 is a smart phone from Taiwan ASUS.
ASUS ASUS_X00LD_3 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component
VAR-201911-0499 | CVE-2019-15334 | Lava Iris 88 Go Android Vulnerability with improper permission assignment to critical resources on devices |
CVSS V2: 2.1 CVSS V3: 3.3 Severity: LOW |
The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. Lava Iris 88 Go Android Devices are vulnerable to improper assignment of permissions to critical resources.Information may be tampered with. Lava Iris 88 Go is a smartphone from Lava, India.
Lava Iris 88 Go has an unknown vulnerability. An attacker could use this vulnerability to unauthorizedly switch Wi-Fi on
VAR-201911-0542 | CVE-2019-15377 | Cherry Mobile Cherry Flare S7 Access Control Error Vulnerability |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Cherry Flare S7 Android device with a build fingerprint of Cherry_Mobile/Flare_S7_Deluxe/Flare_S7_Deluxe:8.1.0/O11019/1533920920:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Cherry Flare S7 Android The device is vulnerable to a lack of authentication.Information may be tampered with. An attacker could use this vulnerability to modify system properties
VAR-201911-0461 | CVE-2019-15392 | Asus ZenFone 4 Selfie Android Lack of authentication on device |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Asus ZenFone 4 Selfie Android device with a build fingerprint of Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Asus ZenFone 4 Selfie Android The device is vulnerable to a lack of authentication.Information may be tampered with. ASUS ZenFone 4 Selfie is a smartphone from ASUS, Taiwan. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could exploit this vulnerability to modify system properties without authorization
VAR-201911-0520 | CVE-2019-15355 | Tecno Camon iClick Android Lack of authentication on device |
CVSS V2: 2.1 CVSS V3: 5.5 Severity: MEDIUM |
The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Tecno Camon iClick Android The device is vulnerable to a lack of authentication.Information may be tampered with. Tecno Camon iClick is a smartphone from China Transsion.
Tecno Camon iClick has an unknown vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0544 | CVE-2019-15428 | Xiaomi Mi Note 2 Android Vulnerability related to externally controllable references to other domain resources on devices |
CVSS V2: 2.1 CVSS V3: 3.3 Severity: LOW |
The Xiaomi Mi Note 2 Android device with a build fingerprint of Xiaomi/scorpio/scorpio:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. Xiaomi Mi Note 2 Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be tampered with. Xiaomi Mi Note 2 is a smartphone from China's Xiaomi Technology.
The com.miui.powerkeeper app in Xiaomi Mi Note 2 (build fingerprint: Xiaomi / scorpio / scorpio: 6.0.1 / MXB48T / 7.1.5: user / release-keys) has a security vulnerability. An attacker could use another application on the device to exploit the vulnerability to unauthorizedly modify wireless settings
VAR-201911-0573 | CVE-2019-15457 | Samsung J6 Access Control Error Vulnerability |
CVSS V2: 4.6 CVSS V3: 7.8 Severity: HIGH |
The Samsung J6 Android device with a build fingerprint of samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung J6 Android The device is vulnerable to improper assignment of permissions to critical resources.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Samsung J6 is a smartphone from Samsung in South Korea.
An access control error vulnerability exists in the com.samsung.android.themecenter app in Samsung J6 (build fingerprint: samsung / j6ltexx / j6lte: 8.0.0 / R16NW / J600FNXXU3ASC1: user / release-keys). The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. No detailed vulnerability details are provided at this time
VAR-201911-0480 | CVE-2019-15411 | ASUS ZenFone 3 Laser Access Control Error Vulnerability |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
The Asus ZenFone 3 Laser Android device with a build fingerprint of asus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ZenFone 3 Laser Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS ZenFone 3 Laser is a smartphone from ASUS, Taiwan.
ASUS ZenFone 3 Laser has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component