The content://wappush content provider in com.android.provider.telephony, as found in some custom ROMs for Android phones, allows SQL injection. One consequence is that an application without the READ_SMS permission can read SMS messages. This affects Infinix X571 phones, as well as various Lenovo phones (such as the A7020) that have since been fixed by Lenovo.
References
Link | Resource |
---|---|
https://hacked0x90.wordpress.com/2018/07/12/lenovo-infinix-sql-injection-to-mobile-sms-leakage/ | Exploit Third Party Advisory |
Information
Published : 2018-07-15 09:29
Updated : 2018-09-21 06:47
NVD link : CVE-2018-14066
Mitre link : CVE-2018-14066
JSON object : View
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Products Affected
- android
infinixmobility
- infinix_x571
lenovo
- lenovo_a7020