The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2020-0033 | In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out of bounds write due to stale pointer. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144351324 | HIGH | Mar 11, 2020 |
| CVE-2020-0032 | In ih264d_release_display_bufs of ih264d_utils.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-145364230 | HIGH | Mar 11, 2020 |
| CVE-2020-0031 | In triggerAugmentedAutofillLocked and related functions of Session.java, it is possible for Augmented Autofill to display sensitive information to the user inappropriately. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141703197 | MEDIUM | Mar 11, 2020 |
| CVE-2020-0030 | In binder_thread_release of binder.c, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-145286050References: Upstream kernel | MEDIUM | Feb 13, 2020 |
| CVE-2020-0029 | In the WifiConfigManager, there is a possible storage of location history which can only be deleted by triggering a factory reset. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-140065828 | LOW | Mar 11, 2020 |
| CVE-2020-0028 | In notifyNetworkTested and related functions of NetworkMonitor.java, there is a possible bypass of private DNS settings. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-9Android ID: A-122652057 | HIGH | Feb 13, 2020 |
| CVE-2020-0027 | In HidRawSensor::batch of HidRawSensor.cpp, there is a possible out of bounds write due to an unexpected switch fallthrough. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-144040966 | HIGH | Feb 13, 2020 |
| CVE-2020-0026 | In Parcel::continueWrite of Parcel.cpp, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-140419401 | HIGH | Feb 13, 2020 |
| CVE-2020-0025 | In deletePackageVersionedInternal of PackageManagerService.java, there is a possible way to exit Screen Pinning due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-135604684 | MEDIUM | Mar 12, 2021 |
| CVE-2020-0024 | In onCreate of SettingsBaseActivity.java, there is a possible unauthorized setting modification due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-8.0Android ID: A-137015265 | MEDIUM | May 15, 2020 |
| CVE-2020-0023 | In setPhonebookAccessPermission of AdapterService.java, there is a possible disclosure of user contacts over bluetooth due to a missing permission check. This could lead to local information disclosure if a malicious app enables contacts over a bluetooth connection, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145130871 | MEDIUM | Feb 13, 2020 |
| CVE-2020-0022 | In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715 | HIGH | Feb 13, 2020 |
| CVE-2020-0021 | In removeUnusedPackagesLPw of PackageManagerService.java, there is a possible permanent denial-of-service due to a missing package dependency test. This could lead to remote denial of service with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141413692 | MEDIUM | Feb 13, 2020 |
| CVE-2020-0020 | In getAttributeRange of ExifInterface.java, there is a possible failure to redact location information from media files due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-143118731 | MEDIUM | Feb 13, 2020 |
| CVE-2020-0019 | In the Broadcom Nexus firmware, there is an insecure default password. This could lead to local information disclosure in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-171413798 | LOW | Dec 16, 2020 |
| CVE-2020-0018 | In MotionEntry::appendDescription of InputDispatcher.cpp, there is a possible log information disclosure. This could lead to local disclosure of user input with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139945049 | LOW | Feb 13, 2020 |
| CVE-2020-0017 | In multiple places, it was possible for the primary user?? dictionary to be visible to and modifiable by secondary users. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-123232892 | LOW | Feb 13, 2020 |
| CVE-2020-0016 | In the Broadcom Nexus firmware, there is an insecure default password. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-171413483 | HIGH | Dec 16, 2020 |
| CVE-2020-0015 | In onCreate of CertInstaller.java, there is a possible way to overlay the Certificate Installation dialog by a malicious application. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-139017101 | MEDIUM | Feb 13, 2020 |
| CVE-2020-0014 | It is possible for a malicious application to construct a TYPE_TOAST window manually and make that window clickable. This could lead to a local escalation of privilege with no additional execution privileges needed. User action is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-128674520 | MEDIUM | Feb 13, 2020 |
| CVE-2020-0012 | In fpc_ta_pn_get_unencrypted_image of fpc_ta_pn.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-137648844 | HIGH | Mar 11, 2020 |
| CVE-2020-0011 | In get_auth_result of fpc_ta_hw_auth.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-137648045References: N/A | HIGH | Mar 11, 2020 |
| CVE-2020-0010 | In fpc_ta_get_build_info of fpc_ta_kpi.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-137014293References: N/A | HIGH | Mar 11, 2020 |
| CVE-2020-0009 | In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write to shared memory due to a permissions bypass. This could lead to local escalation of privilege by corrupting memory shared between processes, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android kernel Android ID: A-142938932 | LOW | Jan 13, 2020 |
| CVE-2020-0008 | In LowEnergyClient::MtuChangedCallback of low_energy_client.cc, there is a possible out of bounds read due to a race condition. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-142558228 | LOW | Jan 14, 2020 |
| CVE-2020-0007 | In flattenString8 of Sensor.cpp, there is a possible information disclosure of heap memory due to uninitialized data. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-141890807 | LOW | Jan 14, 2020 |
| CVE-2020-0006 | In rw_i93_send_cmd_write_single_block of rw_i93.cc, there is a possible information disclosure of heap memory due to uninitialized data. This could lead to remote information disclosure in the NFC server with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-139738828 | MEDIUM | Jan 13, 2020 |
| CVE-2020-0005 | In btm_read_remote_ext_features_complete of btm_acl.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-141552859 | HIGH | Feb 13, 2020 |
| CVE-2020-0004 | In generateCrop of WallpaperManagerService.java, there is a possible sysui crash due to image exceeding maximum texture size. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-120847476 | LOW | Jan 14, 2020 |
| CVE-2020-0003 | In onCreate of InstallStart.java, there is a possible package validation bypass due to a time-of-check time-of-use vulnerability. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-8.0 Android ID: A-140195904 | LOW | Jan 10, 2020 |
| CVE-2020-0002 | In ih264d_init_decoder of ih264d_api.c, there is a possible out of bounds write due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-142602711 | HIGH | Jan 10, 2020 |
| CVE-2020-0001 | In getProcessRecordLocked of ActivityManagerService.java isolated apps are not handled correctly. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-8.0, Android-8.1, Android-9, and Android-10 Android ID: A-140055304 | HIGH | Jan 14, 2020 |
| CVE-2019-1020019 | invenio-previewer before 1.0.0a12 allows XSS. | MEDIUM | Jul 31, 2019 |
| CVE-2019-1020018 | Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via an email link. | HIGH | Jul 29, 2019 |
| CVE-2019-1020017 | Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a confirmation screen when logging in via a user-api OTP. | MEDIUM | Jul 29, 2019 |
| CVE-2019-1020016 | ASH-AIO before 2.0.0.3 allows an open redirect. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020015 | graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 mishandles the audience check while verifying JWT. | MEDIUM | Aug 5, 2019 |
| CVE-2019-1020014 | docker-credential-helpers before 0.6.3 has a double free in the List functions. | LOW | Aug 5, 2019 |
| CVE-2019-1020013 | parse-server before 3.6.0 allows account enumeration. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020012 | parse-server before 3.4.1 allows DoS after any POST to a volatile class. | MEDIUM | Aug 2, 2019 |
| CVE-2019-1020011 | SmokeDetector intentionally does automatic deployments of updated copies of SmokeDetector without server operator authority. | MEDIUM | Aug 5, 2019 |
| CVE-2019-1020010 | Misskey before 10.102.4 allows hijacking a user\'s token. | MEDIUM | Aug 5, 2019 |
| CVE-2019-1020009 | Fleet before 2.1.2 allows exposure of SMTP credentials. | MEDIUM | Jul 31, 2019 |
| CVE-2019-1020008 | stacktable.js before 1.0.4 allows XSS. | MEDIUM | Jul 31, 2019 |
| CVE-2019-1020007 | Dependency-Track before 3.5.1 allows XSS. | LOW | Jul 30, 2019 |
| CVE-2019-1020006 | invenio-app before 1.1.1 allows host header injection. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020005 | invenio-communities before 1.0.0a20 allows XSS. | LOW | Aug 1, 2019 |
| CVE-2019-1020004 | Tridactyl before 1.16.0 allows fake key events. | MEDIUM | Aug 1, 2019 |
| CVE-2019-1020003 | invenio-records before 1.2.2 allows XSS. | LOW | Aug 1, 2019 |
| CVE-2019-1020002 | Pterodactyl before 0.7.14 with 2FA allows credential sniffing. | MEDIUM | Jul 31, 2019 |
