CVE-2019-14759
published 2020-09-14CVE-2019-14759: An issue was discovered in KaiOS 1.0, 2.5, and 2.5.1. The pre-installed Radio application is vulnerable to HTML and JavaScript injection attacks. A local…
PriorityP418medium4.4CVSS 3.1
AVLACLPRNUIRSUCLILAN
EPSS
0.38%
30.1th percentile
An issue was discovered in KaiOS 1.0, 2.5, and 2.5.1. The pre-installed Radio application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Radio application. At a bare minimum, this allows an attacker to take control over the Radio application's UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaiostech | kaios | — | — |
| kaiostech | kaios | — | — |
| kaiostech | kaios | — | — |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
nvdv2.01.9LOWAV:L/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Amazon S3 Encryption Client for .NET has a Key Commitment Issue
ghsa·2025-12-18
CVE-2025-14759 [MEDIUM] CWE-327 Amazon S3 Encryption Client for .NET has a Key Commitment Issue
Amazon S3 Encryption Client for .NET has a Key Commitment Issue
## Summary
S3 Encryption Client for .NET (S3EC) is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
## Impact
### Background - Key Commitment
There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which
GHSA
GHSA-6xfq-7wh8-vrjj: An issue was discovered in KaiOS 1
ghsa_unreviewed·2022-05-24
CVE-2019-14759 [MEDIUM] CWE-74 GHSA-6xfq-7wh8-vrjj: An issue was discovered in KaiOS 1
An issue was discovered in KaiOS 1.0, 2.5, and 2.5.1. The pre-installed Radio application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Radio application. At a bare minimum, this allows an attacker to take control over the Radio application's UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-09-14
Published