CVE-2019-14758

Name of the Vulnerable Software and Affected Versions KaiOS versions 2.5 through 2.5.1

Description An issue was discovered in the pre-installed File Manager application, which is vulnerable to HTML and JavaScript injection attacks. An attacker can send a file via email to the victim that will inject HTML into the File Manager application, allowing the attacker to take control over the application's UI and abuse any available privileges. This could lead to the display of malicious prompts, asking the user to re-enter credentials such as their KaiOS credentials.

Recommendations For KaiOS versions 2.5 and 2.5.1, consider disabling the File Manager application until a patch is available to prevent potential HTML and JavaScript injection attacks. Restrict access to email attachments that could be used to inject malicious HTML into the File Manager application. Avoid downloading email attachments from untrusted sources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.