CVSS: 8.1EPSS: 0%CPEs: 105EXPL: 0CVE-2018-16594
https://notcve.org/view.php?id=CVE-2018-16594
The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices allows Directory Traversal. El componente Photo Sharing Plus en Sony Bravia TV a través de 8.587 dispositivos permite el recorrido de directorios. • https://fortiguard.com/zeroday/FG-VD-18-036 https://www.sony.co.uk/electronics/support/articles/00201041 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 105EXPL: 0CVE-2018-16595
https://notcve.org/view.php?id=CVE-2018-16595
The Photo Sharing Plus component on Sony Bravia TV through 8.587 devices has a Buffer Overflow. El componente Photo Sharing Plus en Sony Bravia TV a través de 8.587 dispositivos tiene un Desbordamiento de Búfer. • https://fortiguard.com/zeroday/FG-VD-18-036 https://www.sony.co.uk/electronics/support/articles/00201041 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.2EPSS: 0%CPEs: 16EXPL: 0CVE-2019-12762
https://notcve.org/view.php?id=CVE-2019-12762
Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anomalies via a radio signal between 198 kHz and 203 kHz, as demonstrated by a transmitter and antenna hidden just beneath the surface of a coffee-shop table, aka Ghost Touch. Los dispositivos Xiaomi Mi 5s Plus permiten a los atacantes desencadenar anomalías de la pantalla táctil a través de una señal de radio entre 198 kHz y 203 kHz, como lo demuestra un transmisor y una antena ocultos justo debajo de la superficie de una mesa de cafetería, también conocida como Ghost Touch. • https://hackercombat.com/nfc-vulnerability-may-promote-ghost-screen-taps https://medium.com/%40juliodellaflora/ghost-touch-on-xiaomi-mi5s-plus-707998308607 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-14983
https://notcve.org/view.php?id=CVE-2018-14983
The Sony Xperia L1 Android device with a build fingerprint of Sony/G3313/G3313:7.0/43.0.A.6.49/2867558199:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by Sony or another entity in the supply chain. The system_server process in the core android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage. The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. • https://www.kryptowire.com https://www.kryptowire.com/portal/android-firmware-defcon-2018 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 89EXPL: 4CVE-2019-11336 – Sony Smart TV Information Disclosure / File Read
https://notcve.org/view.php?id=CVE-2019-11336
Sony Bravia Smart TV devices allow remote attackers to retrieve the static Wi-Fi password (used when the TV is acting as an access point) by using the Photo Sharing Plus application to execute a backdoor API command, a different vulnerability than CVE-2019-10886. Los dispositivos Sony Bravia Smart TV permiten a los atacantes remotos recuperar la contraseña estática de Wi-Fi (utilizada cuando el televisor está funcionando como un punto de acceso) mediante el uso de la aplicación Photo Sharing Plus para ejecutar un comando API tipo blackdoor, una vulnerabilidad diferente a la CVE-2019- 10886. Sony Smart TVs suffer from information disclosure and arbitrary file read vulnerabilities. • http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-Disclosure-File-Read.html http://seclists.org/fulldisclosure/2019/Apr/32 http://www.securityfocus.com/bid/108072 https://seclists.org/bugtraq/2019/Apr/34 https://www.darkmatter.ae/xen1thlabs/sony-smart-tv-photo-sharing-plus-information-disclosure-vulnerability-xl-19-003 • CWE-532: Insertion of Sensitive Information into Log File •