CVE-2019-14756

Name of the Vulnerable Software and Affected Versions: KaiOS versions 1.0 through 2.5.12.5

Description: An issue was discovered in the pre-installed Email application, which is vulnerable to HTML and JavaScript injection attacks. An attacker can send a specially crafted email to the victim that will inject HTML into the email application's UI as soon as the email is opened. This allows an attacker to take control over the Email application's UI, such as displaying a malicious prompt to the user asking them to re-enter their email credentials, and also allows an attacker to abuse any of the privileges available to the mobile application.

Recommendations: For KaiOS versions 1.0 through 2.5.12.5, consider disabling the Email application until a patch is available to prevent HTML and JavaScript injection attacks. Restrict access to the Email application's UI to minimize the risk of exploitation. Avoid opening suspicious emails from unknown senders to reduce the risk of attack. At the moment, there is no information about a newer version that contains a fix for this vulnerability.