Erez Yalon

**Name of the Vulnerable Software and Affected Versions** Amazon Echo devices (affected versions not specified) **Description** The reprompt feature in Amazon Echo devices could be misused by a custom Alexa skill, allowing an attacker to obtain transcripts of speech not intended for Alexa to process. This issue involves empty output-speech reprompts, custom wildcard input slots, and logging of detected speech. If a maliciously designed skill is installed, it could capture speech spoken within the device's hearing range. **Recommendations** For Amazon Echo devices, the vendor has put mitigations in place for detecting this type of skill behavior and rejects or suppresses those skills when detected. Customers do not need to take any action for these mitigations to work.

**Name of the Vulnerable Software and Affected Versions** Huawei Honor 8 Lite versions before Prague-L31C576B172 Huawei Honor 8 Lite versions before Prague-L31C530B160 Huawei Honor 8 Lite versions before Prague-L31C432B180 **Description** The Themes App has a man-in-the-middle (MITM) issue due to the use of the insecure HTTP protocol for theme download. An attacker may exploit this to tamper with downloaded themes. **Recommendations** For versions before Prague-L31C576B172, consider disabling the theme download feature until a secure update is available. For versions before Prague-L31C530B160, restrict theme downloads to trusted sources to minimize the risk of exploitation. For versions before Prague-L31C432B180, avoid using the theme download feature over unsecured networks until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tinder iOS app (affected versions not specified) Tinder Android app (affected versions not specified) **Description** The issue concerns the unencrypted transmission of images in the Tinder app, which allows an attacker to extract private sensitive information by sniffing network traffic. **Recommendations** For Tinder iOS app, update to a version that implements encrypted image transmission to prevent sensitive information from being extracted. For Tinder Android app, update to a version that implements encrypted image transmission to prevent sensitive information from being extracted.

**Name of the Vulnerable Software and Affected Versions** Tinder iOS app (affected versions not specified) Tinder Android app (affected versions not specified) **Description** The issue allows an attacker to extract private sensitive information by sniffing network traffic due to fixed sizes of HTTPS responses. **Recommendations** For Tinder iOS app, update to a version that includes a fix for this issue, if available. For Tinder Android app, update to a version that includes a fix for this issue, if available. As a temporary workaround, consider using a virtual private network (VPN) to encrypt network traffic and minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167 P10 and P10 Plus smartphones with software versions before VTR-TL00C01B167 P10 and P10 Plus smartphones with software versions before VKY-AL00C00B167 P10 and P10 Plus smartphones with software versions before VKY-TL00C01B167 **Description** The issue affects the call module, allowing an attacker to crash the call and data communication process by tricking a user into installing a malicious application. This application can send a given parameter to the call module, resulting in a denial of service. **Recommendations** For P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167, update to version VTR-AL00C00B167 or later. For P10 and P10 Plus smartphones with software versions before VTR-TL00C01B167, update to version VTR-TL00C01B167 or later. For P10 and P10 Plus smartphones with software versions before VKY-AL00C00B167, update to version VKY-AL00C00B167 or later. For P10 and P10 Plus smartphones with software versions before VKY-TL00C01B167, update to version VKY-TL00C01B167 or later.

**Name of the Vulnerable Software and Affected Versions** Huawei VMall (for Android) versions prior to 1.5.8.5 **Description** The issue is due to improper design, allowing an attacker to trick users into installing a malicious app. This app can send HTTP requests and execute JavaScript code in web pages without obtaining the Internet access permission, potentially leading to resource occupation or information leak. **Recommendations** For versions prior to 1.5.8.5, update to version 1.5.8.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167 P10 and P10 Plus smartphones with software versions before VTR-TL00C01B167 P10 and P10 Plus smartphones with software versions before VKY-AL00C00B167 P10 and P10 Plus smartphones with software versions before VKY-TL00C01B167 **Description** The issue affects the call module, allowing an attacker to crash the call and data communication process by tricking a user into installing a malicious application. This application can send a given parameter to the call module, resulting in a denial of service. **Recommendations** For P10 and P10 Plus smartphones with software versions before VTR-AL00C00B167, update to version VTR-AL00C00B167 or later. For P10 and P10 Plus smartphones with software versions before VTR-TL00C01B167, update to version VTR-TL00C01B167 or later. For P10 and P10 Plus smartphones with software versions before VKY-AL00C00B167, update to version VKY-AL00C00B167 or later. For P10 and P10 Plus smartphones with software versions before VKY-TL00C01B167, update to version VKY-TL00C01B167 or later.

**Name of the Vulnerable Software and Affected Versions** Honor 5A versions before CAM-L03C605B143CUSTC605D003 Honor 8 Lite versions before Prague-L03C605B161 Honor 8 Lite versions before Prague-L23C605B160 Mate9 versions before MHA-AL00C00B225 Mate9 versions before LON-AL00C00B225 P10 versions before VTR-AL00C00B167 P10 versions before VTR-TL00C01B167 P10 Plus versions before VKY-AL00C00B167 P10 Plus versions before VKY-TL00C01B167 **Description** The issue is related to a resource exhaustion vulnerability due to a configuration setting. An attacker may trick a user into installing a malicious application, which can then turn on the device's flash-light and rapidly drain the device battery. **Recommendations** For Honor 5A versions before CAM-L03C605B143CUSTC605D003, update to version CAM-L03C605B143CUSTC605D003 or later. For Honor 8 Lite versions before Prague-L03C605B161, update to version Prague-L03C605B161 or later. For Honor 8 Lite versions before Prague-L23C605B160, update to version Prague-L23C605B160 or later. For Mate9 versions before MHA-AL00C00B225, update to version MHA-AL00C00B225 or later. For Mate9 versions before LON-AL00C00B225, update to version LON-AL00C00B225 or later. For P10 versions before VTR-AL00C00B167, update to version VTR-AL00C00B167 or later. For P10 versions before VTR-TL00C01B167, update to version VTR-TL00C01B167 or later. For P10 Plus versions before VKY-AL00C00B167, update to version VKY-AL00C00B167 or later. For P10 Plus versions before VKY-TL00C01B167, update to version VKY-TL00C01B167 or later.