George Piskas

Researcher fromÉcole polytechnique fédérale de Lausanne
#21696of 53,632
11Total CVSS
Vulnerabilities · 2
Medium
2
PT-2016-2221
5.5
2016-04-18
Google · Android · CVE-2016-2426
**Name of the Vulnerable Software and Affected Versions** Android versions 4.x through 4.4.3 Android versions 5.0.x through 5.0.1 Android versions 5.1.x through 5.1.0 Android versions 6.x before 2016-04-01 **Description** The issue exists due to a lack of permission check for GET ACCOUNTS in the ContentService.java file within the Framework component. This allows attackers to obtain sensitive information via a crafted application. The exploitation of this issue can enable a remote attacker to gain confidential information using a specially designed application. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-04-01, ensure your device is updated with the latest security patch released on or after 2016-04-01.
PT-2016-2222
5.5
2016-04-18
Google · Aosp Mail · CVE-2016-2425
**Name of the Vulnerable Software and Affected Versions** AOSP Mail versions prior to 4.4.4 AOSP Mail versions 5.0.x prior to 5.0.2 AOSP Mail versions 5.1.x prior to 5.1.1 AOSP Mail versions 6.x before 2016-04-01 **Description** The issue is related to the lack of protection for sensitive data in the `mail/compose/ComposeActivity.java` component of AOSP Mail in the Android operating system. This can be exploited by a remote attacker using a specially crafted application to obtain confidential information. The vulnerability is specifically related to the support of `file:///data` attachments in the affected versions. **Recommendations** For versions prior to 4.4.4, update to version 4.4.4 or later. For versions 5.0.x prior to 5.0.2, update to version 5.0.2 or later. For versions 5.1.x prior to 5.1.1, update to version 5.1.1 or later. For versions 6.x before 2016-04-01, ensure that the patch level is 2016-04-01 or later. As a temporary workaround, consider restricting the use of the `file:///data` attachment feature in the `mail/compose/ComposeActivity.java` component until a patch is available.