CVE-2019-16243 Information

Description

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices there is an undocumented web API that allows unprivileged JavaScript including JavaScript running within the KaiOS browser to view and edit the device’s firmware over-the-air update settings. (This web API is normally used by the system application to trigger firmware updates via OmaService.js.)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://www.nccgroup.trust/uk/our-research/?research=Technical+advisories https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabilities-in-alcatel-flip-2/B

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1