CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-15363
https://notcve.org/view.php?id=CVE-2019-15363
The Leagoo Power 5 Android device with a build fingerprint of LEAGOO/Power_5/Power_5:8.1.0/O11019/1532686195:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization. El dispositivo Leagoo Power 5 Android con una huella digital de LEAGOO/Power_5/Power_5:8.1.0/O11019/1532686195:user/release-keys, contiene una aplicación preinstalada con un nombre de paquete de aplicación com.mediatek.wfo.impl (versionCode=27, versionName=8.1.0), que permite a cualquier aplicación ubicada en el dispositivo modificar una propiedad del sistema por medio de una interfaz exportada sin la autorización adecuada. • https://www.kryptowire.com/android-firmware-2019 •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2018-14999
https://notcve.org/view.php?id=CVE-2018-14999
The Leagoo P1 device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed platform app with a package name of com.wtk.factory (versionCode=1, versionName=1.0) that contains an exported broadcast receiver named com.wtk.factory.MMITestReceiver allows any app co-located on the device to programmatically initiate a factory reset. In addition, the app initiating the factory reset does not require any permissions. A factory reset will remove all user data and apps from the device. This will result in the loss of any data that have not been backed up or synced externally. The capability to perform a factory reset is not directly available to third-party apps (those that the user installs themselves with the exception of enabled Mobile Device Management (MDM) apps), although this capability can be obtained by leveraging an unprotected app component of a pre-installed platform app. • https://www.kryptowire.com https://www.kryptowire.com/portal/android-firmware-defcon-2018 https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-14997
https://notcve.org/view.php?id=CVE-2018-14997
The Leagoo P1 Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains the android framework (i.e., system_server) with a package name of android that has been modified by Leagoo or another entity in the supply chain. The system_server process in the core Android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage. The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. • https://www.kryptowire.com https://www.kryptowire.com/portal/android-firmware-defcon-2018 https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-14986
https://notcve.org/view.php?id=CVE-2018-14986
The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) containing an exported content provider named com.android.messaging.datamodel.MessagingContentProvider. Any app co-located on the device can read the most recent text message from each conversation. That is, for each phone number where the user has either sent or received a text message from, a zero-permission third-party app can obtain the body of the text message, phone number, name of the contact (if it exists), and a timestamp for the most recent text message of each conversation. As the querying of the vulnerable content provider app component can be performed silently in the background, a malicious app can continuously monitor the content provider to see if the current message in each conversation has changed to obtain new text messages. El dispositivo Android Leagoo Z5C con una huella digital sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contiene una aplicación preinstalada, cuyo paquete se denomina com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) con un proveedor de contenidos exportado llamado com.android.messaging.datamodel.MessagingContentProvider. • https://www.kryptowire.com/portal/android-firmware-defcon-2018 https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2018-14984
https://notcve.org/view.php?id=CVE-2018-14984
The Leagoo Z5C Android device with a build fingerprint of sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contains a pre-installed app with a package name of com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) with an exported broadcast receiver app component named com.android.messaging.trackersender.TrackerSender. Any app co-located on the device, even one with no permissions, can send a broadcast intent with certain embedded data to the exported broadcast receiver application component that will result in the programmatic sending of a text message where the phone number and body of the text message is controlled by the attacker. El dispositivo Android Leagoo Z5C con una huella digital sp7731c_1h10_32v4_bird:6.0/MRA58K/android.20170629.214736:user/release-keys contiene una aplicación preinstalada, cuyo paquete se denomina com.android.messaging (versionCode=1000110, versionName=1.0.001, (android.20170630.092853-0)) con un componente de app de recepción de transmisiones exportada llamado com.android.messaging.trackersender.TrackerSender. Cualquier app que también esté en el dispositivo, incluso aunque no tenga permisos, puede enviar un intent de transmisión con ciertos datos embebidos al componente de la aplicación de recepción de transmisiones exportada que resultará en el envío programático de un mensaje de texto en el que el número de teléfono y el cuerpo del mensaje de texto están controlados por el atacante. • https://www.kryptowire.com/portal/android-firmware-defcon-2018 https://www.kryptowire.com/portal/wp-content/uploads/2018/12/DEFCON-26-Johnson-and-Stavrou-Vulnerable-Out-of-the-Box-An-Eval-of-Android-Carrier-Devices-WP-Updated.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •