VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201911-0552 CVE-2019-15436 Samsung A8+ Android Vulnerability with improper permission assignment to critical resources on devices CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
The Samsung A8+ Android device with a build fingerprint of samsung/jackpot2ltexx/jackpot2lte:8.0.0/R16NW/A730FXXS4BSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung A8+ Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung A8 + is a smartphone from Samsung in South Korea. There is a security vulnerability in the com.samsung.android.themecenter app in Samsung A8 + (build fingerprint: samsung / jackpot2ltexx / jackpot2lte: 8.0.0 / R16NW / A730FXXS4BSC2: user / release-keys). An attacker could use this vulnerability to perform software installation with the help of other pre-installed software
VAR-201911-0534 CVE-2019-15369 Lava Z61 Turbo Android Lack of authentication on device CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Lava Z61 Turbo Android The device is vulnerable to a lack of authentication.Information may be tampered with
VAR-201911-0558 CVE-2019-15442 Samsung on7xelteskt Access Control Error Vulnerability CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
The Samsung on7xelteskt Android device with a build fingerprint of samsung/on7xelteskt/on7xelteskt:8.1.0/M1AJQ/G610SKSU2CSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung on7xelteskt Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung on7xelteskt is a smartphone from Samsung in South Korea. Samsung on7xelteskt has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component
VAR-201911-0485 CVE-2019-15416 Sony keyaki_kddi Android Vulnerability with improper permission assignment to critical resources on devices CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Sony keyaki_kddi Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Sony keyaki_kddi is a smart phone from Sony Corporation of Japan. There is a security hole in the com.kddi.android.packageinstaller app in Sony keyaki_kddi (build fingerprint: Sony / keyaki_kddi / keyaki_kddi: 7.1.1 / TONE3-3.0.0-KDDI-170517-0326 / 1: user / dev-keys). An attacker could use this vulnerability to install software
VAR-201911-0568 CVE-2019-15452 Samsung J3 Access Control Error Vulnerability CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
The Samsung J3 Android device with a build fingerprint of samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung J3 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung J3 is a smartphone from Samsung in South Korea. Samsung J3 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component
VAR-201911-0547 CVE-2019-15431 Evercoss U50A Android Vulnerability with improper permission assignment to critical resources on devices CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Evercoss U50A Android device with a build fingerprint of EVERCOSS/U50A./EVERCOSS:7.0/NRD90M/1499911028:eng/test-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0_VER_2017.04.21_17:55:55) that allows other pre-installed apps to perform system properties modification via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Evercoss U50A Android Devices are vulnerable to improper assignment of permissions to critical resources.Information may be tampered with. Evercoss U50A is a smartphone. The com.qiku.cleaner app in Evercoss U50A (build fingerprint: EVERCOSS / U50A. / EVERCOSS: 7.0 / NRD90M / 1499911028: eng / test-keys) has a security vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0525 CVE-2019-15360 Hisense U965 Android Lack of authentication on device CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Hisense U965 Android device with a build fingerprint of Hisense/U965_4G_10/HS6739MT:8.1.0/O11019/Hisense_U965_4G_10_S01:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Hisense U965 Android The device is vulnerable to a lack of authentication.Information may be tampered with. Hisense U965 is a smartphone from Hisense, China. Hisense U965 has an unknown vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0535 CVE-2019-15370 Haier G8 Android Lack of authentication on device CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1526527761:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Haier G8 Android The device is vulnerable to a lack of authentication.Information may be tampered with. Haier G8 is a smartphone from Haier of China. Haier G8 has an access control error vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0483 CVE-2019-15414 ASUS ZenFone AR Access Control Error Vulnerability CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
The Asus ZenFone AR Android device with a build fingerprint of asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys contains a pre-installed app with a package name of com.asus.splendidcommandagent app (versionCode=1510200105, versionName=1.2.0.21_180605) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ZenFone AR Android The device is vulnerable to improper assignment of permissions to critical resources.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. ASUS ZenFone AR is a smartphone from ASUS, Taiwan. ASUS ZenFone AR has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component
VAR-201911-1325 CVE-2019-15743 Sony Xperia Touch Access Control Error Vulnerability CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Sony Xperia Touch Android device with a build fingerprint of Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys contains a pre-installed app with a package name of com.sonymobile.android.maintenancetool.testmic app (versionCode=24, versionName=7.0) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record audio to external storage. Sony Xperia Touch Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be obtained. Sony Xperia Touch is a touch projector from Sony Corporation of Japan. Com.sonymobile.android.maintenancetool.testmic app in Sony Xperia Touch (build fingerprint:Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys) Access control error vulnerability. An attacker can exploit this vulnerability for unauthorized microphone recording
VAR-201911-0543 CVE-2019-15427 Xiaomi Mi Mix Android Vulnerability related to externally controllable references to other domain resources on devices CVSS V2: 2.1
CVSS V3: 3.3
Severity: LOW
The Xiaomi Mi Mix Android device with a build fingerprint of Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. Xiaomi Mi Mix Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be tampered with. Xiaomi Mi Mix is a smartphone from China's Xiaomi Technology. Xiaomi / lithium / lithium: 6.0.1 / MXB48T / 7.1.5: user / release in Xiaomi Mi Mix (build fingerprint: Xiaomi / lithium / lithium: 6.0.1 / MXB48T / 7.1.5: user / release-keys) -keys is vulnerable. An attacker could use another application on the device to exploit the vulnerability to unauthorizedly modify wireless settings. Pre-installed apps are allowed to perform app installation using an accessible app component
VAR-201911-0554 CVE-2019-15438 Samsung XCover4 Android Vulnerability with improper permission assignment to critical resources on devices CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung XCover4 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Samsung XCover4 is a smartphone from Samsung in South Korea. Samsung XCover4 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to perform application installation through an accessible application component. The Samsung XCover4 Android device could allow a physical malicious user to gain elevated privileges on the system. An attacker could exploit this vulnerability to gain elevated privileges on the system
VAR-201911-0475 CVE-2019-15406 ASUS ASUS_X00LD_3 Access Control Error Vulnerability CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
The Asus ASUS_X00LD_3 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ASUS_X00LD_3 Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS ASUS_X00LD_3 is a smart phone from Taiwan ASUS. ASUS ASUS_X00LD_3 has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component
VAR-201911-0499 CVE-2019-15334 Lava Iris 88 Go Android Vulnerability with improper permission assignment to critical resources on devices CVSS V2: 2.1
CVSS V3: 3.3
Severity: LOW
The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface. Lava Iris 88 Go Android Devices are vulnerable to improper assignment of permissions to critical resources.Information may be tampered with. Lava Iris 88 Go is a smartphone from Lava, India. Lava Iris 88 Go has an unknown vulnerability. An attacker could use this vulnerability to unauthorizedly switch Wi-Fi on
VAR-201911-0542 CVE-2019-15377 Cherry Mobile Cherry Flare S7 Access Control Error Vulnerability CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Cherry Flare S7 Android device with a build fingerprint of Cherry_Mobile/Flare_S7_Deluxe/Flare_S7_Deluxe:8.1.0/O11019/1533920920:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Cherry Flare S7 Android The device is vulnerable to a lack of authentication.Information may be tampered with. An attacker could use this vulnerability to modify system properties
VAR-201911-0461 CVE-2019-15392 Asus ZenFone 4 Selfie Android Lack of authentication on device CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Asus ZenFone 4 Selfie Android device with a build fingerprint of Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Asus ZenFone 4 Selfie Android The device is vulnerable to a lack of authentication.Information may be tampered with. ASUS ZenFone 4 Selfie is a smartphone from ASUS, Taiwan. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could exploit this vulnerability to modify system properties without authorization
VAR-201911-0520 CVE-2019-15355 Tecno Camon iClick Android Lack of authentication on device CVSS V2: 2.1
CVSS V3: 5.5
Severity: MEDIUM
The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. Tecno Camon iClick Android The device is vulnerable to a lack of authentication.Information may be tampered with. Tecno Camon iClick is a smartphone from China Transsion. Tecno Camon iClick has an unknown vulnerability. An attacker could use this vulnerability to modify system properties
VAR-201911-0544 CVE-2019-15428 Xiaomi Mi Note 2 Android Vulnerability related to externally controllable references to other domain resources on devices CVSS V2: 2.1
CVSS V3: 3.3
Severity: LOW
The Xiaomi Mi Note 2 Android device with a build fingerprint of Xiaomi/scorpio/scorpio:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. Xiaomi Mi Note 2 Android The device is vulnerable to an externally controllable reference to another realm resource.Information may be tampered with. Xiaomi Mi Note 2 is a smartphone from China's Xiaomi Technology. The com.miui.powerkeeper app in Xiaomi Mi Note 2 (build fingerprint: Xiaomi / scorpio / scorpio: 6.0.1 / MXB48T / 7.1.5: user / release-keys) has a security vulnerability. An attacker could use another application on the device to exploit the vulnerability to unauthorizedly modify wireless settings
VAR-201911-0573 CVE-2019-15457 Samsung J6 Access Control Error Vulnerability CVSS V2: 4.6
CVSS V3: 7.8
Severity: HIGH
The Samsung J6 Android device with a build fingerprint of samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Samsung J6 Android The device is vulnerable to improper assignment of permissions to critical resources.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Samsung J6 is a smartphone from Samsung in South Korea. An access control error vulnerability exists in the com.samsung.android.themecenter app in Samsung J6 (build fingerprint: samsung / j6ltexx / j6lte: 8.0.0 / R16NW / J600FNXXU3ASC1: user / release-keys). The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. No detailed vulnerability details are provided at this time
VAR-201911-0480 CVE-2019-15411 ASUS ZenFone 3 Laser Access Control Error Vulnerability CVSS V2: 7.2
CVSS V3: 7.8
Severity: HIGH
The Asus ZenFone 3 Laser Android device with a build fingerprint of asus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. Asus ZenFone 3 Laser Android Devices are vulnerable to improper assignment of permissions to critical resources.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. ASUS ZenFone 3 Laser is a smartphone from ASUS, Taiwan. ASUS ZenFone 3 Laser has an access control error vulnerability. The vulnerability stems from a network system or product that did not properly restrict access to resources from unauthorized roles. An attacker could use this vulnerability to execute commands through an accessible application component