CVSS: 10.0EPSS: 0%CPEs: 39EXPL: 1CVE-2013-6775
https://notcve.org/view.php?id=CVE-2013-6775
The Chainfire SuperSU package before 1.69 for Android allows attackers to gain privileges via the (1) backtick or (2) $() type of shell metacharacters in the -c option to /system/xbin/su. El paquete Chainfire SuperSU anterior a 1.69 para Android permite a atacantes ganar privilegios a través de el tipo de metacaracteres shell (1) backtick o (2) $() en la opción -c hacia /system/xbin/su. • http://www.securityfocus.com/archive/1/529797 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.8EPSS: 0%CPEs: 223EXPL: 0CVE-2014-1501
https://notcve.org/view.php?id=CVE-2014-1501
Mozilla Firefox before 28.0 on Android allows remote attackers to bypass the Same Origin Policy and access arbitrary file: URLs via vectors involving the "Open Link in New Tab" menu selection. Mozilla Firefox anterior a 28.0 en Android permite a atacantes remotos evadir Same Origin Policy y acceder a archivos arbitrarios: URLs a través de vectores que involucran la selección de menú "Abrir enlace en una pestaña nueva". • http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00016.html http://www.mozilla.org/security/announce/2014/mfsa2014-21.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html https://bugzilla.mozilla.org/show_bug.cgi?id=960135 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 0%CPEs: 219EXPL: 0CVE-2014-1506
https://notcve.org/view.php?id=CVE-2014-1506
Directory traversal vulnerability in Android Crash Reporter in Mozilla Firefox before 28.0 on Android allows attackers to trigger the transmission of local files to arbitrary servers, or cause a denial of service (application crash), via a crafted application that specifies Android Crash Reporter arguments. Vulnerabilidad de salto de directorio en Android Crash Reporter en Mozilla Firefox anterior a 28.0 en Android permite a atacantes provocar la transmisión de archivos locales a servidores arbitrarios, o causar una denegación de servicio (caída de aplicación), a través de una aplicación manipulada que especifica argumentos de Android Crash Reporter. • http://archives.neohapsis.com/archives/bugtraq/2014-03/0153.html http://www.mozilla.org/security/announce/2014/mfsa2014-24.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/66420 https://bugzilla.mozilla.org/show_bug.cgi?id=944374 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.3EPSS: 3%CPEs: 14EXPL: 3CVE-2013-4710 – Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution
https://notcve.org/view.php?id=CVE-2013-4710
Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636. Android 3.0 hasta 4.1.x en Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, y otros dispositivos no implementa debidamente la clase WebView, lo que permite a atacantes remotos ejecutar métodos arbitrarios de objetos Java o causar una denegación de servicio (reinicio) a través de una página web manipulada, tal y como se demostró mediante el uso del método WebView.addJavascriptInterface, un problema relacionado con CVE-2012-6636. • https://www.exploit-db.com/exploits/41675 https://www.exploit-db.com/exploits/31519 https://github.com/Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability http://50.56.33.56/blog/?p=314 http://emobile.jp/products/sh/a01sh/systemsoftware.html http://jvn.jp/en/jp/JVN53768697/113349/index.html http://jvn.jp/en/jp/JVN53768697/397327/index.html http://jvn.jp/en/jp/JVN53768697/995293/index.html http://jvn.jp/en/jp/JVN53768697/995312/index.html http://jvn.jp • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 0CVE-2014-1939
https://notcve.org/view.php?id=CVE-2014-1939
java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels. java/android/webkit/BrowserFrame.java en Android anterior a 4.4 utiliza la API addJavascriptInterface en conjunto con la creación de un objeto de la clase SearchBoxImpl, lo que permite a atacantes ejecutar código Java arbitrario mediante el aprovechamiento del acceso a la interfaz searchBoxJavaBridge_ en ciertos niveles API de Android. • http://blog.chromium.org/2013/11/introducing-chromium-powered-android.html http://openwall.com/lists/oss-security/2014/02/11/2 https://support.lenovo.com/us/en/product_security/len_6421 • CWE-94: Improper Control of Generation of Code ('Code Injection') •