CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38292
https://notcve.org/view.php?id=CVE-2023-38292
22 Apr 2024 — Certain software builds for the TCL 20XE Android device contain a vulnerable, pre-installed app with a package name of com.tct.gcs.hiddenmenuproxy (versionCode='2', versionName='v11.0.1.0.0201.0') that allows local third-party apps to programmatically perform a factory reset due to inadequate access control. No permissions or special privileges are necessary to exploit the vulnerability in the com.tct.gcs.hiddenmenuproxy app. No user interaction is required beyond installing and running a third-party app. T... • https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-38295
https://notcve.org/view.php?id=CVE-2023-38295
22 Apr 2024 — Certain software builds for the TCL 30Z and TCL 10 Android devices contain a vulnerable, pre-installed app that relies on a missing permission that provides no protection at runtime. The missing permission is required as an access permission by components in various pre-installed apps. On the TCL 30Z device, the vulnerable app has a package name of com.tcl.screenrecorder (versionCode='1221092802', versionName='v5.2120.02.12008.1.T' ; versionCode='1221092805', versionName='v5.2120.02.12008.2.T'). On the TCL ... • https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf • CWE-276: Incorrect Default Permissions •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38296
https://notcve.org/view.php?id=CVE-2023-38296
22 Apr 2024 — Various software builds for the following TCL 30Z and TCL A3X devices leak the ICCID to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as follows: TCL ... • https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-266: Incorrect Privilege Assignment CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38298
https://notcve.org/view.php?id=CVE-2023-38298
22 Apr 2024 — Various software builds for the following TCL devices (30Z, A3X, 20XE, 10L) leak the device IMEI to a system property that can be accessed by any local app on the device without any permissions or special privileges. Google restricted third-party apps from directly obtaining non-resettable device identifiers in Android 10 and higher, but in these instances they are leaked by a high-privilege process and can be obtained indirectly. The software build fingerprints for each confirmed vulnerable device are as f... • https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Ryan%20Johnson%20Mohamed%20Elsabagh%20Angelos%20Stavrou%20-%20Still%20Vulnerable%20Out%20of%20the%20Box%20Revisiting%20the%20Security%20of%20Prepaid%20Android%20Carrier%20Devices.pdf • CWE-266: Incorrect Privilege Assignment CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 2CVE-2023-43481
https://notcve.org/view.php?id=CVE-2023-43481
27 Dec 2023 — An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component. Un problema en Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp permite a un atacante remoto ejecutar código JavaScript arbitrario a través del componente com.tcl.browser.portal.browse.activity.BrowsePageActivity. • https://github.com/actuator/com.tcl.browser • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 1CVE-2022-27660
https://notcve.org/view.php?id=CVE-2022-27660
05 Aug 2022 — A denial of service vulnerability exists in the confctl_set_guest_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability. Se presenta una vulnerabilidad de denegación de servicio en la funcionalidad confctl_set_guest_wlan de TCL LinkHub Mesh Wi-Fi versión MS1G_00_01.00_14. Un paquete de red especialmente diseñado puede conllevar a una denegación de servicio. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1502 • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-27633
https://notcve.org/view.php?id=CVE-2022-27633
05 Aug 2022 — An information disclosure vulnerability exists in the confctl_get_guest_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability. Se presenta una vulnerabilidad de divulgación de información en la funcionalidad confctl_get_guest_wlan de TCL LinkHub Mesh Wifi MS1G_00_01.00_14. Un paquete de red especialmente diseñado puede conllevar a una divulgación de información. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1503 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-27630
https://notcve.org/view.php?id=CVE-2022-27630
05 Aug 2022 — An information disclosure vulnerability exists in the confctl_get_master_wlan functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to information disclosure. An attacker can send packets to trigger this vulnerability. Se presenta una vulnerabilidad de divulgación de información en la funcionalidad confctl_get_master_wlan de TCL LinkHub Mesh Wi-Fi versión MS1G_00_01.00_14. Un paquete de red especialmente diseñado puede conllevar a una divulgación de informació... • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1504 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 1CVE-2022-27185
https://notcve.org/view.php?id=CVE-2022-27185
05 Aug 2022 — A denial of service vulnerability exists in the confctl_set_master_wlan functionality of TCL LinkHub Mesh Wifi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability. Se presenta una vulnerabilidad de denegación de servicio en la funcionalidad confctl_set_master_wlan de TCL LinkHub Mesh Wifi MS1G_00_01.00_14. Un paquete de red especialmente diseñado puede conllevar a una denegación de servicio. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1505 • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-27178
https://notcve.org/view.php?id=CVE-2022-27178
05 Aug 2022 — A denial of service vulnerability exists in the confctl_set_wan_cfg functionality of TCL LinkHub Mesh Wi-Fi MS1G_00_01.00_14. A specially-crafted network packet can lead to denial of service. An attacker can send packets to trigger this vulnerability. Se presenta una vulnerabilidad de denegación de servicio en la funcionalidad confctl_set_wan_cfg de TCL LinkHub Mesh Wi-Fi versión MS1G_00_01.00_14. Un paquete de red especialmente diseñado puede conllevar a una denegación de servicio. • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1506 • CWE-284: Improper Access Control •