CVE-2019-14759

Name of the Vulnerable Software and Affected Versions KaiOS versions 1.0 through 2.5.1

Description The pre-installed Radio application in KaiOS is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Radio application, allowing them to take control over the Radio application's UI. This could enable an attacker to display a malicious prompt to the user, asking them to re-enter credentials such as their KaiOS credentials, and abuse any privileges available to the mobile application.

Recommendations For KaiOS versions 1.0 through 2.5.1, consider disabling the Radio application until a patch is available to prevent HTML and JavaScript injection attacks. Restrict access to the Radio application to minimize the risk of exploitation. Avoid using the Radio application for sensitive activities until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.