CVE-2020-28055

Name of the Vulnerable Software and Affected Versions TCL Android Smart TV series V8-R851T02-LF1 versions V295 and below TCL Android Smart TV series V8-T658T01-LF1 versions V373 and below

Description A local unprivileged attacker, such as a malicious App, can read and write to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories within the TV file system. This allows an attacker, such as a malicious APK or local unprivileged user, to perform fake system upgrades by writing to the /data/vendor/upgrade folder.

Recommendations For TCL Android Smart TV series V8-R851T02-LF1 versions V295 and below: consider restricting access to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories to prevent unauthorized read and write operations. For TCL Android Smart TV series V8-T658T01-LF1 versions V373 and below: consider restricting access to the /data/vendor/tcl, /data/vendor/upgrade, and /var/TerminalManager directories to prevent unauthorized read and write operations. At the moment, there is no information about a newer version that contains a fix for this vulnerability.