Share this:
An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to import the file). At a bare minimum, this allows an attacker to take control over the Contacts application’s UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application.
Published at: September 14, 2020 at 04:15PM
View on website
More Stories
New vulnerability on the NVD: CVE-2020-19107
New vulnerability on the NVD: CVE-2020-19108
New vulnerability on the NVD: CVE-2020-19109