CVE-2023-1385
https://notcve.org/view.php?id=CVE-2023-1385
Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services. This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS 7.6.3.3. • https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series • CWE-330: Use of Insufficiently Random Values •
CVE-2023-1384
https://notcve.org/view.php?id=CVE-2023-1384
The setMediaSource function on the amzn.thin.pl service does not sanitize the "source" parameter allowing for arbitrary javascript code to be run This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3. • https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2023-1383
https://notcve.org/view.php?id=CVE-2023-1383
An Improper Enforcement of Behavioral Workflow vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible. This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3. • https://www.bitdefender.com/blog/labs/vulnerabilities-identified-amazon-fire-tv-stick-insignia-fire-os-tv-series • CWE-841: Improper Enforcement of Behavioral Workflow •
CVE-2019-7399 – Amazon FireOS 5.3.6.3 Man-In-The-Middle
https://notcve.org/view.php?id=CVE-2019-7399
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages. Amazon Fire OS, en versiones anteriores a la 5.3.6.4, permite un ataque Man-in-the-Middle (MitM) contra las peticiones HTTP para las páginas "Terms of Use" y "Privacy". Amazon FireOS version 5.3.6.3 suffers from a content injection vulnerability via man-in-the-middle attacks. • http://www.securityfocus.com/bid/107025 https://wwws.nightwatchcybersecurity.com/2019/02/07/content-injection-in-amazon-kindles-fireos-cve-2019-7399 • CWE-346: Origin Validation Error •
CVE-2018-11020
https://notcve.org/view.php?id=CVE-2018-11020
kernel/omap/drivers/rpmsg/rpmsg_omx.c in the kernel component in Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 allows attackers to inject a crafted argument via the argument of an ioctl on device file /dev/rpmsg-omx1 with the command 3221772291, and cause a kernel crash. kernel/omap/drivers/rpmsg/rpmsg_omx.c en el componente kernel en Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 permite que los atacantes inyecten un argumento manipulado mediante el argumento de una llamada ioctl en el archivo del dispositivo /dev/rpmsg-omx1 con el comando 3221772291 y provoquen el cierre inesperado del kernel. • https://github.com/datadancer/HIAFuzz/blob/master/CVE-2018-11020.md https://github.com/datadancer/HIAFuzz/blob/master/CVE-Advisory.md • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •