Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-15419

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-14 Nov, 2019 | 16:26
Updated At-05 Aug, 2024 | 00:49
Rejected At-
Credits

The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack. This capability can be accessed by any app co-located on the device.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:14 Nov, 2019 | 16:26
Updated At:05 Aug, 2024 | 00:49
Rejected At:
▼CVE Numbering Authority (CNA)

The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack. This capability can be accessed by any app co-located on the device.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.kryptowire.com/android-firmware-2019/
x_refsource_MISC
Hyperlink: https://www.kryptowire.com/android-firmware-2019/
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.kryptowire.com/android-firmware-2019/
x_refsource_MISC
x_transferred
Hyperlink: https://www.kryptowire.com/android-firmware-2019/
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:14 Nov, 2019 | 17:15
Updated At:25 Nov, 2019 | 16:14

The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack. This capability can be accessed by any app co-located on the device.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary2.07.2HIGH
AV:L/AC:L/Au:N/C:C/I:C/A:C
Type: Primary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.2
Base severity: HIGH
Vector:
AV:L/AC:L/Au:N/C:C/I:C/A:C
CPE Matches
ASUS (ASUSTeK Computer Inc.)
asus
>>x105d_firmware>>-
cpe:2.3:o:asus:x105d_firmware:-:*:*:*:*:*:*:*
ASUS (ASUSTeK Computer Inc.)
asus
>>x105d>>-
cpe:2.3:h:asus:x105d:-:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-610Primarynvd@nist.gov
CWE ID: CWE-610
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.kryptowire.com/android-firmware-2019/cve@mitre.org
Third Party Advisory
Hyperlink: https://www.kryptowire.com/android-firmware-2019/
Source: cve@mitre.org
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

71Records found
CVE-2023-21097
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.16% / 36.85%
||
7 Day CHG+0.02%
Published-19 Apr, 2023 | 00:00
Updated-05 Feb, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In toUriInner of Intent.java, there is a possible way to launch an arbitrary activity due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-261858325

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2023-44209
Matching Score-4
Assigner-Acronis International GmbH
ShareView Details
Matching Score-4
Assigner-Acronis International GmbH
CVSS Score-5.6||MEDIUM
EPSS-0.03% / 9.77%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 19:44
Updated-06 Mar, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 29051, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.

Action-Not Available
Vendor-Linux Kernel Organization, IncAcronis (Acronis International GmbH)Microsoft CorporationApple Inc.
Product-macosagentwindowslinux_kernelAcronis Cyber Protect 17Acronis Cyber Protect Cloud Agent
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-0708
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.03% / 9.93%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 13:26
Updated-03 Aug, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In runDumpHeap of ActivityManagerShellCommand.java, there is a possible deletion of system files due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-183262161

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2020-0210
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 2.06%
||
7 Day CHG~0.00%
Published-11 Jun, 2020 | 14:43
Updated-04 Aug, 2024 | 05:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In removeSharedAccountAsUser of AccountManager.java, there is a possible permissions bypass to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-145206763

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2023-22616
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.11% / 29.41%
||
7 Day CHG~0.00%
Published-12 Apr, 2023 | 00:00
Updated-10 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Insyde InsydeH2O with kernel 5.2 through 5.5. The Save State register is not checked before use. The IhisiSmm driver does not check the value of a save state register before use. Due to insufficient input validation, an attacker can corrupt SMRAM.

Action-Not Available
Vendor-n/aInsyde Software Corp. (ISC)
Product-insydeh2on/a
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2023-20964
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.04% / 13.16%
||
7 Day CHG~0.00%
Published-24 Mar, 2023 | 00:00
Updated-25 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In multiple functions of MediaSessionRecord.java, there is a possible Intent rebroadcast due to a confused deputy. This could lead to local denial of service or escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-238177121

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2022-46868
Matching Score-4
Assigner-Acronis International GmbH
ShareView Details
Matching Score-4
Assigner-Acronis International GmbH
CVSS Score-6.7||MEDIUM
EPSS-0.02% / 6.51%
||
7 Day CHG~0.00%
Published-31 Aug, 2023 | 14:52
Updated-01 Oct, 2024 | 17:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Local privilege escalation during recovery due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40173.

Action-Not Available
Vendor-Microsoft CorporationAcronis (Acronis International GmbH)
Product-windowscyber_protect_home_officeAcronis Cyber Protect Home Officecyber_protect_home_office
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2022-46869
Matching Score-4
Assigner-Acronis International GmbH
ShareView Details
Matching Score-4
Assigner-Acronis International GmbH
CVSS Score-7.3||HIGH
EPSS-0.06% / 17.40%
||
7 Day CHG~0.00%
Published-31 Aug, 2023 | 19:16
Updated-10 Apr, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Local privilege escalation during installation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40278, Acronis True Image OEM (Windows) before build 42575.

Action-Not Available
Vendor-Acronis (Acronis International GmbH)Microsoft Corporation
Product-cyber_protect_home_officewindowsAcronis Cyber Protect Home OfficeAcronis True Image OEMcyber_protect_home_office
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2022-44747
Matching Score-4
Assigner-Acronis International GmbH
ShareView Details
Matching Score-4
Assigner-Acronis International GmbH
CVSS Score-2.2||LOW
EPSS-0.04% / 11.61%
||
7 Day CHG~0.00%
Published-07 Nov, 2022 | 19:00
Updated-01 May, 2025 | 17:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107.

Action-Not Available
Vendor-Acronis (Acronis International GmbH)
Product-cyber_protect_home_officeAcronis Cyber Protect Home Office
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CWE ID-CWE-59
Improper Link Resolution Before File Access ('Link Following')
CVE-2021-39703
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 2.13%
||
7 Day CHG~0.00%
Published-16 Mar, 2022 | 14:04
Updated-04 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In updateState of UsbDeviceManager.java, there is a possible unauthorized access of files due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12Android ID: A-207057578

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-39707
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.44%
||
7 Day CHG~0.00%
Published-16 Mar, 2022 | 14:04
Updated-04 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onReceive of AppRestrictionsFragment.java, there is a possible way to start a phone call without permissions due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12Android ID: A-200688991

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-39668
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 2.59%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-04 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onActivityViewReady of DetailDialog.kt, there is a possible Intent Redirect due to a confused deputy. This could lead to local escalation of privilege that allows actions performed as the System UI, with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11 Android-12Android ID: A-193445603

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-39626
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.02% / 5.49%
||
7 Day CHG~0.00%
Published-14 Jan, 2022 | 19:10
Updated-04 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onAttach of ConnectedDeviceDashboardFragment.java, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege in Bluetooth settings with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-9Android ID: A-194695497

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-39663
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 1.44%
||
7 Day CHG~0.00%
Published-11 Feb, 2022 | 17:40
Updated-04 Aug, 2024 | 02:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In openFileAndEnforcePathPermissionsHelper of MediaProvider.java, there is a possible bypass of a permissions check due to a confused deputy. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-200682135

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-32578
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.05% / 15.94%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 19:16
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Acronis True Image prior to 2021 Update 4 for Windows allowed local privilege escalation due to improper soft link handling (issue 2 of 2).

Action-Not Available
Vendor-n/aAcronis (Acronis International GmbH)
Product-true_imagen/a
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2024-31319
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-8.4||HIGH
EPSS-0.04% / 13.71%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 20:09
Updated-17 Dec, 2024 | 17:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In updateNotificationChannelFromPrivilegedListener of NotificationManagerService.java, there is a possible cross-user data leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-441
Unintended Proxy or Intermediary ('Confused Deputy')
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-32576
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.05% / 15.94%
||
7 Day CHG~0.00%
Published-05 Aug, 2021 | 19:07
Updated-03 Aug, 2024 | 23:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Acronis True Image prior to 2021 Update 4 for Windows allowed local privilege escalation due to improper soft link handling (issue 1 of 2).

Action-Not Available
Vendor-n/aAcronis (Acronis International GmbH)
Product-true_imagen/a
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2021-0550
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.01% / 2.06%
||
7 Day CHG~0.00%
Published-22 Jun, 2021 | 11:11
Updated-03 Aug, 2024 | 15:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onLoadFailed of AnnotateActivity.java, there is a possible way to gain WRITE_EXTERNAL_STORAGE permissions without user consent due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179688673

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2024-23639
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.1||MEDIUM
EPSS-0.04% / 10.69%
||
7 Day CHG~0.00%
Published-09 Feb, 2024 | 00:15
Updated-01 Aug, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
micronaut-core management endpoints vulnerable to drive-by localhost attack

Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade.

Action-Not Available
Vendor-objectcomputingmicronaut-projects
Product-micronautmicronaut-core
CWE ID-CWE-664
Improper Control of a Resource Through its Lifetime
CWE ID-CWE-15
External Control of System or Configuration Setting
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2023-6154
Matching Score-4
Assigner-Bitdefender
ShareView Details
Matching Score-4
Assigner-Bitdefender
CVSS Score-7.8||HIGH
EPSS-0.04% / 11.95%
||
7 Day CHG~0.00%
Published-01 Apr, 2024 | 10:06
Updated-07 Feb, 2025 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Local privilege escalation in Bitdefender Total Security (VA-11168)

A configuration setting issue in seccenter.exe as used in Bitdefender Total Security, Bitdefender Internet Security, Bitdefender Antivirus Plus, Bitdefender Antivirus Free allows an attacker to change the product's expected behavior and potentially load a third-party library upon execution. This issue affects Total Security: 27.0.25.114; Internet Security: 27.0.25.114; Antivirus Plus: 27.0.25.114; Antivirus Free: 27.0.25.114.

Action-Not Available
Vendor-Bitdefender
Product-antivirusantivirus_plustotal_securityinternet_securityAntivirus PlusAntivirus FreeInternet SecurityTotal Securityantivirus_plusinternet_securityantivirustotal_security
CWE ID-CWE-15
External Control of System or Configuration Setting
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
CVE-2025-48654
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.00% / 0.10%
||
7 Day CHG~0.00%
Published-02 Mar, 2026 | 18:42
Updated-06 Mar, 2026 | 04:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onStart of CompanionDeviceManagerService.java, there is a possible confused deputy due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroid
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
  • Previous
  • 1
  • 2
  • Next
Details not found