CVE-2019-14761
published 2020-09-14CVE-2019-14761: An issue was discovered in KaiOS 2.5. The pre-installed Note application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject…
PriorityP417medium4.4CVSS 3.1
AVLACLPRNUIRSUCLILAN
EPSS
0.40%
32.3th percentile
An issue was discovered in KaiOS 2.5. The pre-installed Note application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Note application. At a bare minimum, this allows an attacker to take control over the Note application's UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aws | aws-sdk-php | >= 0 < 3.368.0 | 3.368.0 |
| kaiostech | kaios | — | — |
CVSS provenance
nvdv3.14.4MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
nvdv2.01.9LOWAV:L/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
ghsa·2025-12-18
CVE-2025-14761 [MEDIUM] CWE-327 AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
AWS SDK for PHP's S3 Encryption Client has a Key Commitment Issue
## Summary
S3 Encryption Client for PHP is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
## Impact
### Background - Key Commitment
There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an en
GHSA
GHSA-jr48-437x-gh24: An issue was discovered in KaiOS 2
ghsa_unreviewed·2022-05-24
CVE-2019-14761 [MEDIUM] CWE-74 GHSA-jr48-437x-gh24: An issue was discovered in KaiOS 2
An issue was discovered in KaiOS 2.5. The pre-installed Note application is vulnerable to HTML and JavaScript injection attacks. A local attacker can inject arbitrary HTML into the Note application. At a bare minimum, this allows an attacker to take control over the Note application's UI (e.g., display a malicious prompt to the user asking them to re-enter credentials such as their KaiOS credentials to continue using the application) and also allows an attacker to abuse any of the privileges available to the mobile application.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://research.nccgroup.com/2020/08/21/technical-advisory-multiple-html-injection-vulnerabilities-in-kaios-pre-installed-mobile-applications/https://www.nccgroup.trust/us/our-research/https://research.nccgroup.com/2020/08/21/technical-advisory-multiple-html-injection-vulnerabilities-in-kaios-pre-installed-mobile-applications/https://www.nccgroup.trust/us/our-research/
2020-09-14
Published