CVE-2019-14757

Name of the Vulnerable Software and Affected Versions: KaiOS versions 2.5 through 2.5.1

Description: An issue was discovered in the pre-installed Contacts application, which is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim, injecting HTML into the Contacts application if the victim imports the file. This allows the attacker to take control over the Contacts application's UI, potentially displaying a malicious prompt to the user asking them to re-enter credentials, and abuse any available privileges to the mobile application.

Recommendations: For KaiOS versions 2.5 through 2.5.1, consider disabling the import of vCard files in the Contacts application until a patch is available to prevent HTML and JavaScript injection attacks. Restrict access to the Contacts application to minimize the risk of exploitation. Avoid using the Contacts application to import files from untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.