ShaikUsaf

30 exploits Active since Jun 2020
CVE-2022-20347 NOMISEC HIGH
Android - Remote Privilege Escalation via ConnectedDeviceDashboardFragment
In onAttach of ConnectedDeviceDashboardFragment.java, there is a possible permission bypass due to a confused deputy. This could lead to remote escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-228450811
1 stars
CVSS 8.8
CVE-2022-20229 NOMISEC CRITICAL WORKING POC
Android - Out-of-bounds Write in bta_hf_client_handle_cind_list_item
In bta_hf_client_handle_cind_list_item of bta_hf_client_at.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-224536184
1 stars
CVSS 9.8
CVE-2021-0329 NOMISEC HIGH WRITEUP
Android - Out-of-bounds Write in AdvertiseManager Bluetooth Functions
In several native functions called by AdvertiseManager.java, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege in the Bluetooth server with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-171400004
1 stars
CVSS 7.8
CVE-2022-25313 NOMISEC MEDIUM WRITEUP
libexpat < 2.4.5 - Denial of Service via DTD Element Nesting
In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.
CVSS 6.5
CVE-2022-25314 NOMISEC HIGH WRITEUP
libexpat < 2.4.5 - Integer Overflow in copyString
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.
CVSS 7.5
CVE-2022-25315 NOMISEC CRITICAL WRITEUP
libexpat < 2.4.5 - Integer Overflow in storeRawNames
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.
CVSS 9.8
CVE-2022-20224 NOMISEC HIGH WORKING POC
Android - Out-of-bounds Read in Bluetooth AT_SKIP_REST
In AT_SKIP_REST of bta_hf_client_at.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure in the Bluetooth stack with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-220732646
CVSS 7.5
CVE-2022-20138 NOMISEC HIGH WORKING POC
Android - Missing Authorization in DevicePolicyManagerService
In ACTION_MANAGED_PROFILE_PROVISIONED of DevicePolicyManagerService.java, there is a possible way for unprivileged app to send MANAGED_PROFILE_PROVISIONED intent due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-210469972
CVSS 7.8
CVE-2021-0337 NOMISEC HIGH WORKING POC
Android -8.1,9,10,11 - Privilege Escalation
In moveInMediaStore of FileSystemProvider.java, there is a possible file exposure due to stale metadata. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-157474195
CVSS 7.8
CVE-2021-0326 NOMISEC HIGH WRITEUP
Android - Out-of-bounds Write in p2p_copy_client_info
In p2p_copy_client_info of p2p.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution if the target device is performing a Wi-Fi Direct search, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172937525
CVSS 7.5
CVE-2021-0328 NOMISEC HIGH WORKING POC
Android - Missing Authorization in GattService Bluetooth Scan Result Retrieval
In onBatchScanReports and deliverBatchScan of GattService.java, there is a possible way to retrieve Bluetooth scan results without permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-172670415
CVSS 7.8
CVE-2021-0334 NOMISEC HIGH WRITEUP
Android 8.1-11 - Local Privilege Escalation via ResolverActivity Default Handler Bypass
In onTargetSelected of ResolverActivity.java, there is a possible settings bypass allowing an app to become the default handler for arbitrary domains. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-163358811
CVSS 7.8
CVE-2021-0431 NOMISEC HIGH WRITEUP
Android - Out-of-bounds Read in avrc_msg_cback
In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure to a paired device with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174149901
CVSS 7.5
CVE-2021-0435 NOMISEC HIGH WRITEUP
Android - Remote Information Disclosure via Uninitialized Data in avrc_proc_vendor_command
In avrc_proc_vendor_command of avrc_api.cc, there is a possible leak of heap data due to uninitialized data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-174150451
CVSS 7.5
CVE-2021-0475 NOMISEC HIGH WRITEUP
Android -11, Android-10 - Memory Corruption
In on_l2cap_data_ind of btif_sock_l2cap.cc, there is possible memory corruption due to a use after free. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-175686168
CVSS 8.8
CVE-2021-0481 NOMISEC HIGH WRITEUP
Android 8.1-11 - Unauthorized File Access via EditUserPhotoController URI Handler
In onActivityResult of EditUserPhotoController.java, there is a possible access of unauthorized files due to an unexpected URI handler. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-172939189
CVSS 7.8
CVE-2021-0520 NOMISEC HIGH WRITEUP
Android 10-11 - Use-After-Free via Race Condition in MemoryFileSystem
In several functions of MemoryFileSystem.cpp and related files, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-176237595
CVSS 7.0
CVE-2021-0705 NOMISEC HIGH WRITEUP
Android - Local Privilege Escalation via Background Service Restriction Bypass
In sanitizeSbn of NotificationManagerService.java, there is a possible way to keep service running in foreground and keep granted permissions due to Bypass of Background Service Restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-185388103
CVSS 7.8
CVE-2021-20138 NOMISEC HIGH WRITEUP
Gryphon Tower Firmware < 04.0004.12 - Unauthenticated OS Command Injection via Web Interface Parameters
An unauthenticated command injection vulnerability exists in multiple parameters in the Gryphon Tower router’s web interface at /cgi-bin/luci/rc. An unauthenticated remote attacker on the same network can execute commands as root on the device by sending a specially crafted malicious packet to the web interface.
CVSS 8.8
CVE-2021-0302 NOMISEC HIGH WRITEUP
Android - Tapjacking Attack via Insecure Default Value in PackageInstaller
In PackageInstaller, there is a possible tapjacking attack due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10Android ID: A-155287782
CVSS 7.8
CVE-2020-14356 NOMISEC HIGH WRITEUP
Linux Kernel < 5.7.10 - Null Pointer Dereference in cgroupv2 Subsystem
A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem in versions before 5.7.10 was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system.
CVSS 7.8
CVE-2020-0380 NOMISEC CRITICAL WORKING POC
Android - Out-of-bounds Write in allocExcessBits
In allocExcessBits of bitalloc.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-146398979
CVSS 9.8
CVE-2020-0240 NOMISEC HIGH STUB
Android 10 - Remote Code Execution via Integer Overflow in NewFixedDoubleArray
In NewFixedDoubleArray of factory.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150706594
CVSS 8.8
CVE-2020-0226 NOMISEC HIGH WORKING POC
Android 10 - Local Privilege Escalation via Type Confusion in Client.cpp
In createWithSurfaceParent of Client.cpp, there is a possible out of bounds write due to type confusion. This could lead to local escalation of privilege in the graphics server with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-150226994
CVSS 7.8
CVE-2020-10757 NOMISEC HIGH WRITEUP
Linux Kernel >4.5-rc1 - Privilege Escalation
A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the way mremap handled DAX Huge Pages. This flaw allows a local attacker with access to a DAX enabled storage to escalate their privileges on the system.
CVSS 7.8