CVE-2019-16243

Name of the Vulnerable Software and Affected Versions TCL Alcatel Cingular Flip 2 version B9HUAH1

Description The issue concerns an undocumented web API that permits unprivileged JavaScript, including JavaScript running within the KaiOS browser, to view and edit the device's firmware over-the-air update settings. This web API is typically used by the system application to trigger firmware updates via OmaService.js.

Recommendations For version B9HUAH1, as a temporary workaround, consider restricting access to the undocumented web API until a patch is available. Avoid using the OmaService.js for firmware updates until the issue is resolved.