CVE-2019-16243 — MEDIUM (6.1)

Vulnerability Description

On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. (This web API is normally used by the system application to trigger firmware updates via OmaService.js.)

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Alcatelmobile	Cingular Flip 2 Firmware	b9huah1
Alcatelmobile	Cingular Flip 2	-

Related Weaknesses (CWE)

CWE-306

References

https://www.nccgroup.trust/uk/our-research/?research=Technical+advisoriesThird Party Advisory
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabiExploitThird Party Advisory
https://www.nccgroup.trust/uk/our-research/?research=Technical+advisoriesThird Party Advisory
https://www.nccgroup.trust/us/our-research/technical-advisory-multiple-vulnerabiExploitThird Party Advisory

FAQ

What is CVE-2019-16243?

CVE-2019-16243 is a vulnerability with a CVSS score of 6.1 (MEDIUM). On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocumented web API that allows unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device...

How severe is CVE-2019-16243?

CVE-2019-16243 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-16243?

Check the references section above for vendor advisories and patch information. Affected products include: Alcatelmobile Cingular Flip 2 Firmware, Alcatelmobile Cingular Flip 2.