Total
187 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-15426 | 1 Mi | 2 5s Plus, 5s Plus Firmware | 2024-11-21 | 3.3 Low |
| The Xiaomi 5S Plus Android device with a build fingerprint of Xiaomi/natrium/natrium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15425 | 1 Katadigital | 2 M4s, M4s Firmware | 2024-11-21 | 3.3 Low |
| The Kata M4s Android device with a build fingerprint of alps/full_hct6750_66_n/hct6750_66_n:7.0/NRD90M/1495624556:user/test-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15424 | 1 Doogee | 2 Bl5000, Bl5000 Firmware | 2024-11-21 | 3.3 Low |
| The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15423 | 1 Bluboo S1 Project | 2 Blueboo S1, Blueboo S1 Firmware | 2024-11-21 | 3.3 Low |
| The Bluboo Bluboo_S1 Android device with a build fingerprint of BLUBOO/Bluboo_S1/Bluboo_S1:7.0/NRD90M/1495809471:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15422 | 1 Doogee | 2 Mix, Mix Firmware | 2024-11-21 | 3.3 Low |
| The Doogee Mix Android device with a build fingerprint of DOOGEE/MIX/MIX:7.0/NRD90M/1495809471:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15421 | 1 Blackview | 2 Bv7000 Pro, Bv7000 Pro Firmware | 2024-11-21 | 3.3 Low |
| The Blackview BV7000_Pro Android device with a build fingerprint of Blackview/BV7000_Pro/BV7000_Pro:7.0/NRD90M/1493011204:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15420 | 1 Blackview | 2 Bv9000pro-f, Bv9000pro-f Firmware | 2024-11-21 | 3.3 Low |
| The Blackview BV9000Pro-F Android device with a build fingerprint of Blackview/BV9000Pro-F/BV9000Pro-F:7.1.1/N4F26M/1514363110:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15419 | 1 Asus | 2 X105d, X105d Firmware | 2024-11-21 | 7.8 High |
| The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15418 | 1 Asus | 4 Pegasus 4 Max, Pegasus 4 Max Firmware, Pegasus 4a and 1 more | 2024-11-21 | 7.8 High |
| The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15415 | 1 Mi | 2 Redmi 5, Redmi 5 Firmware | 2024-11-21 | 3.3 Low |
| The Xiaomi Redmi 5 Android device with a build fingerprint of xiaomi/vince/vince:7.1.2/N2G47H/V9.5.4.0.NEGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1711_201803291645) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15405 | 1 Asus | 4 Pegasus 4 Max, Pegasus 4 Max Firmware, Pegasus 4a and 1 more | 2024-11-21 | 7.8 High |
| The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app. | ||||
| CVE-2019-15394 | 1 Asus | 2 Zenfone 5 Selfie, Zenfone 5 Selfie Firmware | 2024-11-21 | 7.8 High |
| The Asus ZenFone 5 Selfie Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2019-15393 | 1 Asus | 2 Zenfone Live \(l1\), Zenfone Live \(l1\) Firmware | 2024-11-21 | 3.3 Low |
| The Asus ZenFone Live Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | ||||
| CVE-2018-9582 | 1 Google | 1 Android | 2024-11-21 | N/A |
| In package installer in Android-8.0, Android-8.1 and Android-9, there is a possible bypass of the unknown source warning due to a confused deputy scenario. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Android ID: A-112031362. | ||||
| CVE-2018-7824 | 2 Microsoft, Schneider-electric | 3 Windows, Driver Suite, Modbus Serial Driver | 2024-11-21 | 4.9 Medium |
| An Externally Controlled Reference to a Resource (CWE-610) vulnerability exists in Schneider Electric Modbus Serial Driver (For 64-bit Windows OS:V3.17 IE 37 and prior , For 32-bit Windows OS:V2.17 IE 27 and prior, and as part of the Driver Suite version:V14.12 and prior) which could allow write access to system files available only to users with SYSTEM privilege or other important user files. | ||||
| CVE-2018-12475 | 1 Opensuse | 1 Open Build Service | 2024-11-21 | 6.5 Medium |
| A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks and potentially downloading data that is exposed there. This issue affects: openSUSE Open Build Service . | ||||
| CVE-2018-12381 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2024-11-21 | N/A |
| Manually dragging and dropping an Outlook email message into the browser will trigger a page navigation when the message's mail columns are incorrectly interpreted as a URL. *Note: this issue only affects Windows operating systems with Outlook installed. Other operating systems are not affected.*. This vulnerability affects Firefox ESR < 60.2 and Firefox < 62. | ||||
| CVE-2017-18357 | 1 Shopware | 1 Shopware | 2024-11-21 | N/A |
| Shopware before 5.3.4 has a PHP Object Instantiation issue via the sort parameter to the loadPreviewAction() method of the Shopware_Controllers_Backend_ProductStream controller, with resultant XXE via instantiation of a SimpleXMLElement object. | ||||
| CVE-2017-16088 | 1 Safe-eval Project | 1 Safe-eval | 2024-11-21 | N/A |
| The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized user input can access the entire standard library and effectively break out of the sandbox. | ||||
| CVE-2016-0796 | 1 Mb.miniaudioplayer Project | 1 Mb.miniaudioplayer | 2024-11-21 | 7.5 High |
| WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities because it fails to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind vulnerable website or to perform otherwise restricted actions and subsequently download files with the extension mp3, mp4a, wav and ogg from anywhere the web server application has read access to the system. WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files version 1.7.6 is vulnerable; prior versions may also be affected. | ||||