CVE-2019-14760

Name of the Vulnerable Software and Affected Versions KaiOS version 2.5

Description An issue was discovered in the pre-installed Recorder application, which is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Recorder application, allowing them to take control over the application's UI. This could lead to displaying a malicious prompt to the user, asking them to re-enter credentials such as their KaiOS credentials, and also allows an attacker to abuse any of the privileges available to the mobile application.

Recommendations For KaiOS version 2.5, consider disabling the Recorder application until a patch is available to prevent potential HTML and JavaScript injection attacks. Restrict access to the Recorder application to minimize the risk of exploitation. Avoid using the Recorder application for sensitive tasks until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.