The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Android Applications ~ not comprehensive

computer vulnerability announce CVE-2018-18976 CVE-2018-18977 CVE-2018-18978

Ascensia Contour NEXT ONE for Android: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Ascensia Contour NEXT ONE for Android.
Impacted products: Android Applications ~ not comprehensive.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 4.
Creation date: 07/05/2019.
Identifiers: CVE-2018-18976, CVE-2018-18977, CVE-2018-18978, CVE-2018-18979, VIGILANCE-VUL-29237.

Description of the vulnerability

An attacker can use several vulnerabilities of Ascensia Contour NEXT ONE for Android.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2018-4844

SIMATIC WinCC OA UI for Android/iOS: read-write access via HMI Project Cache

Synthesis of the vulnerability

An attacker can bypass access restrictions via HMI Project Cache of SIMATIC WinCC OA UI for Android/iOS, in order to read or alter data.
Impacted products: Android Applications ~ not comprehensive, SIMATIC.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: document.
Creation date: 21/03/2018.
Identifiers: CERTFR-2018-AVI-140, CVE-2018-4844, SSA-822928, VIGILANCE-VUL-25611.

Description of the vulnerability

An attacker can bypass access restrictions via HMI Project Cache of SIMATIC WinCC OA UI for Android/iOS, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-5249 CVE-2017-5250

Android Wink, Insteon Hub: privilege escalation via an OAuth token

Synthesis of the vulnerability

A local attacker can retrieve an OAuth token from the Android applications Wink and Insteon Hub, in order to steal the end user privileges.
Impacted products: Android Applications ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/02/2018.
Identifiers: CVE-2017-5249, CVE-2017-5250, VIGILANCE-VUL-25363.

Description of the vulnerability

A local attacker can retrieve an OAuth token from the Android applications Wink and Insteon Hub, in order to steal the end user privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-6870 CVE-2017-6871

SIMATIC WinCC Sm@rtClient for Android: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of SIMATIC WinCC Sm@rtClient for Android.
Impacted products: Android Applications ~ not comprehensive, SIMATIC.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/08/2017.
Identifiers: CVE-2017-6870, CVE-2017-6871, SSA-589378, VIGILANCE-VUL-23468.

Description of the vulnerability

Several vulnerabilities were announced in SIMATIC WinCC Sm@rtClient for Android.

An attacker can act as a Man-in-the-Middle, in order to read or write data in the session. [severity:2/4; CVE-2017-6870]

An attacker can bypass security features via Unlocked Mobile Device, in order to escalate his privileges. [severity:1/4; CVE-2017-6871]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-5397

Mozilla Firefox pour Android: privilege escalation via cache corruption

Synthesis of the vulnerability

An attacker can change machine code files downloaded by Mozilla Firefox for Android, in order to get privileges of the Firefox application account.
Impacted products: Android Applications ~ not comprehensive, Firefox, SeaMonkey.
Severity: 3/4.
Consequences: privileged access/rights.
Provenance: document.
Creation date: 10/02/2017.
Identifiers: CERTFR-2017-AVI-046, CVE-2017-5397, MFSA-2017-04, VIGILANCE-VUL-21798.

Description of the vulnerability

The Mozilla Firefox pour Android product is a Web browser.

With the default configuration, Firefox use the system cache to temporary store libraries. However, the system cache is writable by all device process.

An attacker can therefore change machine code files downloaded by Mozilla Firefox for Android, in order to get privileges of the Firefox application account.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 20196

Android Contacts: phone calls

Synthesis of the vulnerability

An attacker can invite the victim to install a malicious application, which uses Android Contacts, in order to make phone calls.
Impacted products: Android Applications ~ not comprehensive, Android OS.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: user shell.
Creation date: 22/07/2016.
Identifiers: JVN#06212291, VIGILANCE-VUL-20196.

Description of the vulnerability

The Contacts application can be installed on Android.

However, it accepts queries form other local applications, which request a phone call, without the CALL_PHONE permission.

An attacker can therefore invite the victim to install a malicious application, which uses Android Contacts, in order to make phone calls.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-5648

Android Acer Portal: lack of X.509 certificate validaiton in a TLS connection

Synthesis of the vulnerability

An attacker can spoof the portal server used by Android Acer Portal, in order to steal credentials, then get user rights to the owner's content.
Impacted products: Android Applications ~ not comprehensive.
Severity: 3/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet server.
Creation date: 07/07/2016.
Identifiers: CVE-2016-5648, VIGILANCE-VUL-20046, VU#690343.

Description of the vulnerability

The Android application Acer Portal product is used to manage user content stored in the "cloud".

The management portal is accessed via a TLS connection. However, the application does not verify the X.509 server certificate.

An attacker can therefore spoof the portal server used by Android Acer Portal, in order to steal credentials, then get user rights to the owner's content.
Full Vigil@nce bulletin... (Free trial)

vulnerability 19870

Android Security & Power Booster - free: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Android Security & Power Booster - free.
Impacted products: Android Applications ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/06/2016.
Identifiers: VIGILANCE-VUL-19870.

Description of the vulnerability

Several vulnerabilities were announced in Android Security & Power Booster - free.

An attacker can force a NULL pointer to be dereferenced in the baidu module, in order to trigger a denial of service. [severity:2/4]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 19869

Android Malwarebytes Anti-Malware: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Android Malwarebytes Anti-Malware.
Impacted products: Android Applications ~ not comprehensive.
Severity: 2/4.
Consequences: data creation/edition, denial of service on service.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/06/2016.
Identifiers: VIGILANCE-VUL-19869.

Description of the vulnerability

Several vulnerabilities were announced in Android Malwarebytes Anti-Malware.

An attacker can intercept unprotected or wrongly protected network communications, notably WiFi ones, for instance to corrupt ou remove signature databases. Typically TLS is not used or the server authentication is incomplete (incomplete certificate validation for instance). [severity:2/4]

An attacker can trigger a fatal error via ScAppInstallReceiver, in order to trigger a denial of service. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 19868

Android Kaspersky Internet Security: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Android Kaspersky Internet Security.
Impacted products: Android Applications ~ not comprehensive.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/06/2016.
Identifiers: VIGILANCE-VUL-19868.

Description of the vulnerability

Several vulnerabilities were announced in Android Kaspersky Internet Security.

An attacker can intercept unprotected or wrongly protected network communications, notably WiFi ones, for instance to corrupt ou remove signature databases. Typically TLS is not used or the server authentication is incomplete (incomplete certificate validation for instance). [severity:2/4]

An attacker can submit a zip archive including path with "../", in order to overwrite any file. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Android Applications ~ not comprehensive: