Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
VTech Storio Max 命令注入漏洞
Vulnerability Description
VTech Storio Max是中国香港伟易达(VTech)公司的一款儿童平板电脑。 VTech Storio Max 56.D3JM6之前版本中存在安全漏洞。攻击者可通过插入元字符利用该漏洞以root权限运行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A